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Abstract 


A specification language is a medium for expressing what is computed 
rather than how it is computed. Specification languages share some features 
with programming languages but are also different in several important ways. 
For our purpose, a specification language is a logic within which the behavior 
of computational systems can be formalized. Although a specification can be 
used to simulate the behavior of such systems, we mainly use specifications to 
state and prove system properties with mechanical assistance. 

We present the formal semantics of the specification language of SRFs 
Prototype Verification System (PVS). This specification language is based on 
the simply typed lambda calculus. The novelty in PVS is that it contains very 
expressive language features whose static analysis (e.g., typechecking) requires 
the assistance of a theorem prover. The formal semantics illuminates several of 
the design considerations underlying PVS, particularly the interaction between 
theorem proving and typechecking. 
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Chapter 1 
Introduction 


PVS is a system for specifying and verifying properties of digital hardware 
and software systems. The specification language of PVS is designed to admit 
succinct, readable, and logically meaningful specifications. The PVS specifica- 
tion language is designed for effective proof construction rather than efficient 
execution. The design considerations underlying the language are therefore 
somewhat different from those of a corresponding programming language. For 
example, the language contains constructs that can be statically typechecked 
only with the assistance of a theorem prover. This is acceptable because the 
PVS specification language is intended for use in conjunction with powerful 
support for automated theorem proving. The logic of PVS is based on a sim- 
ply typed higher-order logic with function, record, and product types, and 
recursive type definitions. This type system is extended with subtypes that 
are analogous to subsets, and with dependency typed functions, records, and 
products. The resulting type system has several advantages. It is possible, for 
instance, to statically ensure that all array references are within their respec- 
tive array bounds. PVS specifications are organized into theories that can be 
parametric in types as well as individuals. While the semantics of the simply 
typed fragment is straightforward, the extensions such as subtyping, depen- 
dent typing, and (theory-level) parametricity do pose significant challenges. 
This report presents a concise but idealized definition of the PVS specifica- 
tion language and its intended formal set-theoretic semantics. It is neither 
an overview of the PVS language nor a guide to the Prototype Verification 
System (see the PVS user manuals [OSRSC98]). 

The primary purpose of the formal semantics is as a useful reference for the 
developers and users of PVS. The idealized core of the specification language 
as presented here serves as a succinct foundation for studying the expressive 
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power of the language. Pertinent questions about PVS are answered directly 
by the formal semantics presented here: 

1. What is the semantic core of the language, and what is just syntactic 
sugar? 

2. What are the rules for determining whether a given PVS expression is 
well typed? 

3. How is subtyping handled, and in particular, how are proof obligations 
corresponding to subtypes generated? 

4. What is the meaning, in set-theoretic terms, of a PVS expression or 
assertion? 

5. Are the type rules sound with respect to the semantics? 

6. Are the proof rules sound with respect to the semantics? 

7. What is the form of dependent typing used by PVS, and what kinds of 
type dependencies are disallowed by the language? 

8. What is the meaning of theory-level parametricity, and what, if any, are 
the semantic limits on such parameterization? 

9. What language extensions are incompatible with the reference semantics 
given here? 

Chapter 8 summarizes the answers to these questions. 

1.1 Real versus Idealized PVS 

The semantic treatment in this report is incomplete in some important ways. 
It does not treat the nonlogical parts of the language. In particular, it ignores 
arithmetic and recursive definitions. It also omits abstract datatypes [OS97]. 
These will be treated in a future expanded version. 

The present semantics also makes several idealizations from the real PVS 
for the purpose of clarity. While the semantic treatment is not comprehensive, 
the idealization of PVS used here is faithful to the implemented form of PVS. 

1. No name resolution. All names must be in fully resolved form with their 
theory name and actual parameters. We regard name resolution as a 
convenience provided by the PVS type checker and not an operation 
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with any semantic relevance. A technical description of name resolution 
in PVS will be given elsewhere. 

2. No overloading. As with name resolution, overloading is a syntactic 
convenience with no semantic import. 

3. No IMPORTINGs. The importing of theories is a hint to name resolution. 
The semantic definition assumes that all instances of theories declared 
prior to the present one are visible. 

4. Variable declarations ignored. All variables must be locally declared. 
Global variable declarations are regarded as a syntactic convenience. 

5. No records. These are ignored in the semantic treatment since product 
types capture all the semantically essential features of records. 

1.2 Semantic Preliminaries 

The PVS specification language is based on higher-order logic. This means 
that variables can range over individuals (such as numbers) as well as functions, 
functions of functions, and so on. As is well known, some type distinction is 
needed; otherwise, it is easy to obtain a contradiction by defining the predicate 
N(P ) as -i (P(P)) so that both N(N) and ->N(N) hold. In the theory of 
types [Chu40] , the universe is stratified into distinct types so that a predicate 
can be applied only to a lower type and thus cannot be applied to itself. 

Types also serve as a powerful mechanism for detecting syntactic and se- 
mantic errors through typechecking. This role of types is best exemplified by 
their use in various programming languages such as Algol, Ada, and ML, and 
is also heavily emphasized in the PVS type system. 

The desirability for strong typing in a specification logic is not widely ac- 
cepted. Fraenkel et al [FBHL84] express the opinion that such typing is repug- 
nant in a mathematical logic since it constrains expressiveness by not allowing 
individuals of differing types to be treated uniformly. Lamport [Lam94] argues 
that type correctness is like any other program property and should be estab- 
lished by means of a proof rather than by syntactic restraints. Lamport and 
Paulson [LP97] analyze the tradeoffs between typed and untyped specification 
languages. We claim that 

1. Types impose a useful discipline on the specification. 

2. Types lead to easy and early detection of a large class of syntactic and 
semantic errors. 
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3. Type information is useful in mechanized reasoning. 

The semantics of a higher-order logic is given by mapping the well-formed 
types of the logic to sets, and the well-formed terms of the logic to elements 
of the sets representing their type. The set constructions we use can be for- 
malized within Zermelo-Fraenkel set theory with the axiom of choice (ZFC). 
The intended interpretation of a function type in higher-order logic is that it 
represents the set of all functions from the set representing the domain type to 
the set representing the range types. 1 PVS also has predicate subtypes that 
are to be interpreted over the subsets of the set representing the parent type. 

The semantics of PVS will be given by considering a sequence of increas- 
ingly expressive fragments of PVS. The semantics of each fragment of PVS 
will be presented in three steps. The first step is to define a set-theoretic 
universe containing enough sets to represent the PVS types. The second step 
is to define a typechecking operation that determines whether a given PVS 
expression is well typed. The third step is to define a semantic function that 
assigns a representation in the semantic universe to each well-typed PVS type 
and term. 

We first lay out the ZFC set constructions needed for defining the semantics 
of PVS. The base types in PVS consist of the Booleans bool and the real 
numbers real. The Booleans can be modeled by any two-element set, say 2 
consisting of the elements 0 and 1 , where 0 is the empty set and the only 
element of the set 1. The real numbers can be captured by means of Dedekind 
cuts or Cauchy sequences, and we label this set R. 

To define the semantics, we need a universe that contains the sets 2 and 
R and is closed under Cartesian products (written as X x Y ) and power sets 
(written as p(X)). Note that functions are modeled as graphs , that is, sets 
of ordered pairs, so that a function type [A—¥B] is represented by a subset of 
the powerset p({Aj x [£?]) of the Cartesian product of the sets [AJ and [B] 
representing A and B, respectively. A set F that is a subset of X x Y is the 
graph of a function with domain X and range Y if for every x 6 X there is 
a y E Y such that ( x,y ) e F , and whenever (x,y) e F and (x,y') E F, we 
have y = y' . For such a set F, Function(F) holds and dom(F) = X. The 
set of graphs of total functions from a set Y to a set X is represented as X 1 . 

1 It is only in the standard model of higher-order logic that the function type is required 
to represent the set of all functions from the domain set to the range set. Higher-order 
logic can be interpreted in general models where the function type can be interpreted in 
any manner as long as it satisfies the various axioms such as application, abstraction, and 
extensionality [And86]. Higher-order logic is complete with respect to the general models 
interpretation so that a statement that is valid in all models is provable. It is, however, 
incomplete with respect to the standard model. 
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If F is the graph of a function and t an element in its domain, then F(t) 
represents the result of applying the function F to t. At the semantic level, a 
function F will never be applied to an argument t outside dom(F), because in 
the PVS language, a function application is typechecked so that the argument 
expression has the same type as the domain type of the function expression. 

We can model the entire type universe of the simply typed fragment of 
PVS by the set U, which is defined cumulatively by starting from the base 
sets 2 and R, and including the Cartesian products, the function spaces, and 
subsets of previously included sets, at each stage. Cartesian products are used 
to model products in PVS, and function spaces model function types. Subsets 
are needed to model predicate subtypes. It is sufficient to iterate these stages 
up to the ordinal u>. 

Definition 1.1 (type universe) 

U 0 = {2,R} 

Ui+ 1 = Ut U {X x Y | X,Y G Ui] U {X Y | X,Y G U t } U (J p(X) 

xeUi 

U w = [J Ui 

U = u„ 


We refer to U as the basic universe. 2 The semantic definitions below will 
assign a set in U to each PVS type and an element in (J U to each well-typed 
term of PVS. The rank of a set X in U is the least i such that X G Ui . The 
notion of rank plays an important role in the semantics of dependent types 
and parametric theories. 

1.3 Related Work 

There is a long history of work in specification languages. Many ideas sim- 
ilar to those underlying the PVS specification language also occur in other 
specification languages. 

The wide- spectrum languages are typically based on set theory or higher- 
order logic. The language VDM is one of the earliest such specification for- 
malisms [Jon90]. It is based on a first-order logic with partial functions aug- 
mented with datatype axioms. The datatype theories in VDM include those 


2 The inclusion of X Y in U is actually redundant but aids clarity. 
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for finite sets, maps, sequences, and recursive datatypes such as lists and trees. 
VDM has a notion of datatype invariants that yields a simple form of predicate 
subtyping. Operations on state are specified in terms of pre-condition/post- 
condition pairs. Specifications are structured into parameterized modules. In 
contrast to VDM, the PVS language is based on strictly typed higher-order 
logic with a built-in notion of predicate subtyping and dependent typing. The 
resulting PVS logic is more compact in that many of the datatypes that are 
presented axiomatically in VDM can be defined within PVS. There is no built- 
in notion of state in PVS since it is possible to use the higher-order logic of 
PVS to define a variety of state-based formalisms, including various linear and 
branching-time temporal logics. VDM uses a 3-valued logic for the logical con- 
nectives in order to deal with partial functions, whereas PVS uses a classical 
2-valued logic and predicate subtyping to assign a type to a partial function 
as a total function on its domain of definition. Jones [Jon90] provides only an 
informal semantics for VDM. The RAISE system is a comprehensive toolset 
based on the ideas of VDM [RAISE92]. 

The Z specification language [Spi88] is another wide-spectrum language 
based on a typed first-order set theory. A Z specification is a collection 
of schemas consisting of declarations of types and constants accompanied 
with invariants. Z schemas can either specify datatype invariants or pre- 
condition/post-condition constraints. A schema calculus is used to combine 
schemas using logical connectives. Spivey [Spi88] presents a formal semantics 
for Z without giving a proof system or a soundness proof. Spivey’s treat- 
ment of partial functions in the Z semantics employs the commonly used 
convention that /(a) when a is not in the domain of a is some arbitrarily 
chosen value. This is fine for most purposes but can be confusing when deal- 
ing with recursively defined partial functions. For example, the definition 
bad(x) = 1 + bad(x ) is everywhere undefined but admitting it as an axiom 
leads to an immediate contradiction. Z also lacks any mechanism for conser- 
vative extensions such as definitional principles for constants and datatypes so 
that the consistency of Z specification has to be demonstrated by exhibiting a 
model. 

Algebraic specification languages like OBJ [FGJM85] and Larch [GH93] 
provide an equational/rewriting framework for specifying datatypes and op- 
erations on datatypes. OBJ has many of the same theory parameterization 
mechanisms as PVS. The subsort mechanism in OBJ is also similar except 
that it is handled by introducing retracts or runtime checks rather than proof 
obligations generated by the type checker. The OBJ logic is quite restricted 
compared to PVS since it is based on a first-order, equational framework with 
an initial semantics where two ground terms are distinct unless they can be 
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proved equal. OBJ has very limited support for proof development and is 
primarily intended as an executable specification language. 

The specification languages that are closer to PVS are those that ac- 
company various automated proof checking systems. The closest of these is 
Ehdm [EHDM93], which employs a similar higher-order logic with subtyping 
and proof obligation generation. Ehdm lacks many of the features of PVS: 
subtyping is restricted to type declarations and there is no dependent typing. 

Higher-order logic is used by other systems such as HOL [GM93] and 
TPS [AMCP84], Both HOL and TPS employ simply typed higher-order logic 
without features such as subtyping, dependent typing, or parametric theories. 
Andrews [And86] gives a thorough account of the semantic aspects of higher- 
order logic. The formal semantics of the HOL logic are carefully outlined (by 
Pitts) in the book by Gordon and Melham [GM93]. 

Systems like Coq [DFH + 91] and Nuprl [CAB+86] are based on intuitionistic 
higher-order logics. Coq allows quantification over types, whereas Nuprl has 
quantification over a hierarchy of type universes. Both logics admit dependent 
typing. The set-theoretic semantics of dependently typed intuitionistic type 
theories has been studied by Dybjer [Dyb91] and Howe [How91, How96]. Not 
surprisingly, their semantic treatment of dependent typing is similar to the 
one given here but they do not delimit the possible dependencies as is done 
with the PVS semantics. The PVS semantics presented here clearly specifies 
the kind of type dependencies that are disallowed in the logic. Dybjer and 
Howe also do not address subtyping but do describe the semantics of language 
features missing in PVS (type universes in the case of Howe, and inductive 
families in the case of Dybjer). Dybjer does not identify the universe over 
which terms and types are interpreted. Howe requires an infinite sequence of 
inaccessible cardinals for his universe construction. 


1.4 Outline 

In Chapter 2, we define the syntax and semantics of the simply typed fragment 
of PVS. Type definitions are also introduced in this chapter along with the 
definition of definitional equivalence on types. Chapter 3 adds subtyping to 
the simply typed fragment and specifies the additional type rules and semantic 
definitions that are needed. Chapter 4 extends the language with dependent 
function and product types. Theories and parametric theories are introduced 
into the language in Chapter 5. The type rules and semantics for conditional 
expressions and the logical connectives defined using conditional expressions 
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are introduced in Chapter 6. Chapter 7 specifies the axioms and inference 
rules of PVS. 



Chapter 2 

The Simple Type Theory 


PVS is a strongly typed specification language. The simply typed fragment in- 
cludes types constructed from the base types by the function and product type 
constructions, and expressions constructed from the constants and variables 
by means of application, abstraction, and tupling. Expressions are checked 
to be well typed under a context , which is a partial function that assigns a 
kind (one of TYPE, CONSTANT, or VARIABLE) to each symbol, and a type to 
the constant and variable symbols. We use the metavariables T, A, and © 
to range over contexts. The metavariables A, B, and T range over PVS type 
expressions, the metavariables r and s range over symbols (identifiers), the 
metavariables x and y range over PVS variables, and the metavariables a , b , 
/, and g range over PVS terms. Given a context P and a symbol s, we say 
that T(s) is undefined if s is not declared in T. 

The pretypes of the simple type theory include the base types such as bool 
and real. A function pretype from domain pretype A to range pretype B is 
constructed as [A—>B\. A product pretype of Ai,A 2 is constructed as [Ai,A 2 \. 
A type is a pretype that has been typechecked in a given context. Types in 
the simple type theory are simple enough that the only distinction between 
pretypes and types is that the symbols in a type must be appropriately declared 
in the given context. 

Example 2.1 (pretypes) bool, real, [bool, real], [[real, bool]— fbool]. ■ 

The preterms of the language consist of the constants, variables, pairs, 
projections, applications, and abstractions. The metavariables c and d range 
over constants. Pairs are of the form (ai,a 2 ) where each a t is a preterm. 
Applications have the form / a where / and a are preterms. A pair projection 
is an expression of the form p* o, where i € {1,2}. Lambda abstractions have 
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the form \(x: T): a , where T is a pretype and a is a preterm. Parentheses are 
used for disambiguation. A term is a preterm that has been typechecked in a 
given context. 

Example 2.2 (preterms) TRUE, -i TRUE, X (x : bool): -i(a;), 

p 2 (TRUE, FALSE), (TRUE, A (x : bool) : (-. x)). m 


2.1 Contexts 

A context is a sequence of declarations, where each declaration is either a 
type declaration s : TYPE, a constant declaration c : T where T is a type, 
or a variable declaration x : VAR T . Preterms and pretypes are typechecked 
with respect to a given context. The empty context is represented as {}. The 
well-formedness rules for contexts are presented below. A context can also 
be applied as a partial function so that for a symbol s with declaration D, 
(r ,s:D)(s) = D and (F,s:D)(r) = T(r) for r ^ s. If s is not declared in T, 
then r(s) is undefined. If T is a context, then for any symbol .s, the kind of 
the symbol s in F is given by kind(F(s)). If the kind of s in T is CONSTANT or 
VARIABLE, then the type(F(s)) is the type assigned to s in F. 

Example 2.3 (context) 

bool : TYPE, TRUE: bool, FALSE: bool, x :VAR [[bool, bool]-4bool] ■ 

2.2 Type Rules 

The type rules for the simple type theory are given by a recursively defined 
partial function r that assigns 

1. A type r(r)(o) to a preterm a that is well typed with respect to a context 

r. 

2. The keyword TYPE as the result of r(T)(A) when A is a well-formed type 
under context P. 

3. The keyword CONTEXT as the result of r(T)(A) when A is a well-formed 
context under context P. The context T is empty for the simply typed 
fragment so that typechecking is always invoked as r()(T). 


Otherwise, r is undefined in the case of an ill-typed preterm or an ill-formed 
type or context. 
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The type rules are given by the recursive definition for r. Typechecking 
in PVS assigns a “canonical” type to a preterm. Customarily, type rules are 
presented as inference rules, but a functional presentation is more appropriate 
for PVS since 


1. The type assignment is deterministic. A term can, in general, though 
not in the simply typed fragment, be assigned a number of types but it 
always has at most one canonical type. 

2. The soundness proof need only show that the meaning of the term is an 
element of the meaning of its canonical type. Thus, only the canonical 
type derivation for a term has to be shown sound and not every valid 
type derivation. 

3. The meaning of a term is therefore given by recursion on the term itself 
and not on its typing derivation. There is no need to show separately that 
this meaning is coherent , that is, independent of the typing derivation. 

A functional presentation of the type rules also leads to natural and straight- 
forward soundness arguments. Note that the well-formedness rules for contexts 
and types are trivial in the simply typed situation but become more mean- 
ingful when the type theory is extended. Note also that in the type rules for 
expressions and types, the well-formedness of the relevant context is not ex- 
plicitly checked. These rules do preserve the well-formedness of the context in 
each recursive call so that if the initial context is well formed, then so is every 
intermediate one. 


Definition 2.4 (type rules) 


r()({}) 

r()(r, s : TYPE) 


r()(r,c:T) 


r()(r, x: VAR T) 


r(r)(s) 

r(T)([A->B]) 


CONTEXT 

CONTEXT, if T(.s) is undefined 

and r()(T) = CONTEXT 

CONTEXT, ifT(c) is undefined, 

r(T)(T) = TYPE, 

and r()(r) = CONTEXT 

CONTEXT, ifT(x) is undefined, 

r(r)(T) = TYPE, 

and r()(T) = CONTEXT 

TYPE, ifkind(r(.s)) = TYPE 

TYPE, ifr(T)(A) = = TYPE 
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t(T)([A u A 2 ]) 

r(r)(s) 

T ( r )(/ °) 
r(r)(A(x: T): a) 


r(r)((ai,a 2 )) 
^(r)(Pi a) 


TYPE, ifr(r)(Ai) = TYPE for 1 < i < 2 
ft/pe(T(s)), 

tf ktnd{T(s)) G {CONSTANT, VARIABLE} 

£?, i/r(r)(/) = [T— >5] and r(r)(o) = A 
[T— )-r(r, x: VAR T)(a)], if r(x) is undefined 
and r(r)(T) = TYPE 

[r(r)(a 1 ),T(r)(a 2 ))] 

Tj, where 

r(r)(a) = [T 1 ,T 2 ] 


In the type rule for lambda abstraction, the constraint that r(x) must be 
undehned can be satisfied by suitably renaming the bound variable since we 
treat terms as equivalent modulo the renaming of bound variables. 


Example 2.5 (type rules) Let Vt label the context bool : TYPE, TRUE : bool, 
FALSE : bool 


r()({}) 

r(m 

r(Q)([[bool, bool]-*bool]) 
r(Q)( (TRUE, FALSE)) 
r(Q)(p 2 (TRUE, FALSE)) 
r(fl)(A(a: : bool): TRUE) 


CONTEXT 

CONTEXT 

TYPE 

[bool, bool] 
bool 

[bool— »bool] 


2.3 Semantics 

Recall that a preterm a with a type assigned by r under context F is said to be 
a term of type r(r)(a) in the context T. If 7 is an assignment for the symbols 
declared in context T, the semantics of the simple type theory of PVS is given 
by mapping a type T to a (possibly empty) set «M(T | j)(T), and a term a with 
assigned type T to an element of the set M.fT | 7 )(T) in the basic universe 
U. The assignment 7 is a list of bindings of the form {«! <— ti} . . . {.s n <— t n }. 
The application of an assignment 7 to a symbol s is such that 7{.s y~ t}(s) is 
t, whereas 7{r <— £}(s) is 7(s) when r ^ s. 
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The meaning function A4 returns the meaning of a well-formed type A 
and a well-formed expression a in the context T under an assignment 7 as 
Af(r | 7) (A) and A4(r | 7) (a), respectively. The meanings of type names, 
constants, and variables declared in T are obtained from the assignment 7. 
A function type is mapped to the corresponding function space. A product 
type is mapped to the corresponding Cartesian product. An application 
term is interpreted by means of set-theoretic function application. A lambda 
abstraction yields the graph of the corresponding function. A pair expression 
is mapped to the corresponding set-theoretic ordered pair. 

Definition 2.6 (meaning function) 


M{T | 7 )(*) 
Ad(r I 7 )(H->B]) 

M(T |7)([7\,r 2 ]) 
M ( r I 7 )(/ a) 
Af(r| 7 )(A(x:T):a) 


M{T I 7 )((ai, 02)) 
M{T I 7)(pi a) 


70), 

ifkind(T(s)) e (TYPE, CONSTANT, VARIABLE} 

M{Y | 7 )(B) M{T 1 ^ A) 
M(r| 7 )(T 1 )x^(r| 7 )(T 2 ) 

(Af(r | ^)(f))(M(T | 7 )(a)) 

{(y,z) | y e A4(T | 7 )(T), 

2 = Af(r, x : VAR T | 7(2: <— y})(a)} 

(Af(r | 7 )(oi),*i(r | 7 )M) 

ti, where M( T | 7 )(o) = (ti,t 2 ) 


Example 2.7 (meaning function) Let oj be an assignment for the context 
in Example 2.5, of the form 

{bool <- 2} {TRUE «- 1}{FALSE 0} 


then 


M.{Yl | oj) ([bool, bool]) 
M(n | cj)( (TRUE, FALSE)) 
M(n | w)(A(a;: bool): TRUE) 


2 x2 

( 1 . 0 ) 

{( 0 . 1 ), ( 1 , 1 )} 


Definition 2.8 (satisfaction) A context assignment 7 is said to satisfy a 
context T ( in symbols 7 | =T) iff 

1. 7(bool) = 2, 
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2. 7 (TRUE) = 1, 

3. 7 (FALSE) = 0. 

J h 7 (s) E U whenever kind(T(s )) = TYPE, and 

5. 7 (s) G A4(r | y)(type(T(s))) 

whenever kind(F(s )) E {CONSTANT, VARIABLE}. 


Example 2.9 (satisfaction) 

1. The assignment uj satisfies context Q. 

2. The assignment o;{one E- l}{zero <— 0} satisfies the context 

Q, one : TYPE, zero : one. 


We need one useful proposition that asserts that typing judgements are 
not invalidated when the context is extended. 

Proposition 2.10 If t()(T) = r()(r') = CONTEXT and T is a prefix of V , 
then for all pretypes A, r(r)(A) = TYPE implies r(r')(A) = TYPE, and for all 
preterms a, r(r)(a) = A implies r(r')(a) = A. 

The following theorems follow from the induction suggested by the defini- 
tions of r and AT The first of these is straightforward and is given without 
proof. 

Theorem 2.11 (type construction) // r()(T) = CONTEXT and r(T)(a) = 
A, then r(T)(A) = TYPE. 

Theorem 2.12 (type soundness) If t()(T) = CONTEXT, 7 satisfies T, and 
r(r)(A) = TYPE, then A4(T | 7) (A) E U. 

Proof. The proof is by induction on the structure of the pretype A. Recall 
that if X G U, then for some i, X G [/*. This yields three cases: 

1. A = s: By Definition 2.4, T(s) is defined and kind(T(s)) is TYPE. Then 
by Definition 2.6, A4(T | y)(s) is 7(5), and by Definition 2.8, 7(5) G U. 
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2. A = [B—tC]: We then have that t(T)(.B) = r(r)((7) = TYPE. Letting X 
label Ai(T | 7 )(B), and Y label A4(r | 7 ) ((7), we have by the induction 
hypothesis that X G U and Y G U. Let j be the least rank such 
that A4(r | ”f)(B) G Uj and A4(T | 7 )((7) G Uj. By Definition 2.6, 
Ad(r | 7 ) (A) = Y x , and hence A4(r | 7 ) (A) G Uj +l by Definition 1.1. 

3. A = [A 1} A 2 ]: Again by Definition 2.4 and the induction hypothesis, we 
have for each i G {1,2}, that A4(T | 7 )(Aj) G U. Let j be the least rank 
such that for i G {1,2}, A4(T | 7 )(Aj) G Uj. Then, it is easy to verify 
from Definition 1.1 that A4(T | 7) (A) G Uj + 1 . 


Theorem 2.13 (term soundness) J/r()(r) = CONTEXT, 7 satisfies T, and 
r(r)(a) is defined and equal to A, then A4(T | 7 ) (a) G A4(r | 7 ) (A). 

Proof. The proof is by induction on the structure of preterms. 

1. a = s: By Definition 2.4, we have that type(T(s)) = A. By Definitions 2.6 
and 2.8, we have that A4(r | 7 ) (a) = 7 ( 5 ) and 7 ( 5 ) G A4(r | 7 ) (A). 

2. a = (/ 6): By Definition 2.4, r(T)(/) = [B-+A], and r(r)(6) = B, 
for some B such that r(r)(L?) = TYPE. Let A4(r | 7 ) (A) be X and 
A4(r | 7 ) (B) be Y, then by Definitions 2.4 and 2.6, and the induc- 
tion hypothesis, we have A4(T | 7 )(/) G X y and A4(r | 7 ) (b) G 
Y. It therefore follows by Definition 2.6 that Af(r | 7 )((/ h)) = 
(A4(r I 7 )(/))(A4(r I 7 )(&)), and hence A4(r | 7 )((/ h)) G X. 

3. a = (A (x:C):b): By Definition 2.4, we have that r(r)(o) is [C—¥B], 
where r(r,a::VAR C)(b ) is B. Let X be A4(r | 7 )(C'), and Y be 
A4(r,a:: VAR C \ j{x <— «}))(£?). By the induction hypothesis, we 
have that for any u G Y, A4 (T, a;: VAR C \ 7 } x <— u})(b ) G X. Since 
A4(r | 7 )(a) is {(u,^) | u G X,v = A4(r,x:VAR C \ 7 } x «})(&)}, we 
have that A4(T | 7 )(o) G X y . 

4. a = (ai,a 2 ): By Definition 2.4, r(T)(o) = [A l 5 A 2 ], where r(r)(aj) = 
Aj for i G {1,2}. By the induction hypothesis, A4(r | 7 )(oj) G 
A4(r | 7 )(Aj) for i G {1,2}. By Definition 2.6, A4(r | 7 )(o) = 
(M(r | 7 )(ai),A 4 (r | 7 )(a 2 )) and hence A4(r | 7 )(a) is an element 
of A4(r | 7 ) (A) which is A4(T | 7 ) (A) x A4(r | 7 )(A n ). 
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5 . a = pi b: In this case, we know by Definition 2.4 that r(r)(6) = [Ai, A 2 ] 
with i G {1,2}, and r(r)(o) = A t . By the induction hypothesis, 
A4(r | 7 )(b) = (t\,t 2 ), and by Definition 2.6, A4(r | 7) (a) = t, t and 
A4(r | 7) (r(r)(6)) = M(r | 7 )(A)x A4(r | 7 )(A 2 ), hence A4(r | 7) (a) G 
M(T I 7 )( 4 ). 

■ 

These three theorems (2.11, 2.12, and 2.13) are the key invariants that 
must be satisfied by the semantics when the language is extended below with 
type definitions, subtypes, dependent types, and parametric theories. 


2.4 Some Syntactic Operations 


We first define the operation of collecting the free variables of a term a in a 
given context T as FV(T)(a) y and then define the operation of substitution. 

Definition 2.14 (free variables) 


TV(r)( s ) 

FV(T)(f a) 
FV(T)(\(x:T):a) 
FV(r)((a u a 2 )) 
FV(T)(p t a) 


( {s}, if kind(r(s)) = VARIABLE 
( 0, otherwise 


= FV(T)(f)uFV(T)(a) 

= FV(T,x:VhR T)(a) - {x} 
= FV(r)( ai )UFV(T)(a 2 ) 

= FV(T)(a) 


Definition 2.15 (substitution) 

s[cti/iCi , . . . , Cl n / X n ] 

(f • 1 ^n/^n] 

(A (y: T): a)[ai/xi , . . . , a n /x n \ 
(bi,b 2 )[a l /xi,...,a n /x n \ 
(Pi ^K/hvdn/^n] 


_ f Oj, if for some minimal i, s = Xi 
\ s, otherwise 

(fP l/^T> • • • t ®n/*^n] 

g[q>i/ X\ , . . . , a n / Xjff) 

= (A(t/':T): %'/?/, ai/a*, . . . , a n /x n ]), 
where 1/ is a fresh variable 
(pi [ai / X\ , . . . , a n / x n ] , 

^[oi/^i, • • • , a n /x n ]) 

= (pi a[ai/x u ...,a n /x n ]) 
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Recall that terms are treated as syntactically equivalent modulo alpha 
conversion. The above definitions must be extended as more features are 
added to the language. 


2.5 Type Definitions 


Here we enrich contexts so that type symbols may have definitions. PVS does 
not allow recursive type definitions 1 so a type declaration/definition in a con- 
text may use only the symbols declared in the prior part of the context. The 
main difference in the extended language is that type names can have defi- 
nitions. In such cases, the definitions rather than the type names are used 
to determine the actual type of an expression. In other words, two type ex- 
pressions are treated as the same if they are definitionally equivalent. Most 
other specification languages tend to employ the weaker notion of name equiv- 
alence where syntactically different types are treated as distinct even when 
their definitions coincide. 

To accommodate type definitions, a context can contain type declarations 
of the form s : TYPE = T, where T is a type. If context T contains such 
a declaration for s, then definition^ (s)) is T. To extend r to handle type 
definitions under definitional equivalence, we must ensure that r returns the 
canonical form of a type where all defined types have been replaced by their 
definitions. The operation <f(T)(T) returns the expanded form of a type relative 
to the context T. 


Definition 2.16 (expanded type) 


ww 

ww 

wairiy) 


s , if definition (T(s)) is empty 

6(T)(definition(T(s))), if definition(T(s)) is nonempty 

{miAumm 

p(r)(T\),tf(r)(r 2 )] 


The typing rules are augmented to return the type in expanded form. The 
main issue here is to determine that the definition part of a type declaration 
in a context is well formed relative to the preceding context. We also need 
to ensure that r returns the expanded form of the type corresponding to a 
preterm. 

1 For the moment, we are not considering the PVS DATATYPE mechanism, which is a form 
of recursive type definition [OS97]. Recursive datatypes in the context of the HOL proof 
checking system are described by Melharn [Mel89j. 
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Definition 2.17 (type rules with type definitions) 

r()(r,s: TYPE = T) = CONTEXT, ifF(s) is undefined, 

r()(r) = CONTEXT, 
and r(r)(T) = TYPE 
r(r)(s) = £(r)(tgpe(r(a))), 

tf ktnd,(T(s)) G (CONSTANT, VARIABLE} 


Note that the S operator is idempotent, and r(r)(o) for a term a always 
returns an expanded type, that is, 5(r(T)(a)) = r(r)(a). 

We do not need to update the definition of M. from Definition 2.6 since 
the syntax for terms is unchanged, but we do need to revise the notion of a 
satisfying context assignment (from Definition 2.8) to respect the type defini- 
tions. 

Definition 2.18 (satisfaction with type definitions) An assignment 7 
satisfies a context T if in addition to the conditions in Definition 2.8, whenever 
kind(T(.s )) = TYPE and definition(T (s)) (abbreviated as T ) is nonempty, then 
7(s) = Af(r | 7 )(T). ■ 

Theorems 2.11 and 2.12 and 2.13 continue to hold under these extensions, 
and the proofs are easily adapted to the modified definitions. 

Example 2.19 (type definition) Let O' be the context 
O, boolop: TYPE = [[bool, bool]— »bool], V: boolop. Then 

r()(0') = CONTEXT 
5(0') (boolop) = [[bool, bool]— »bool], 
r(0')(v) = [[bool, bool]— >bool] 


2.6 Summary 

We have defined the simply typed fragment of PVS by introducing the syn- 
tax for pretypes and preterms, the type rules and semantics for well-formed 
contexts, types, and terms. The type rules are presented in a novel functional 
style where each well-formed context is assigned the label CONTEXT, each well- 
formed type is assigned the label TYPE, and each well-formed term is assigned 
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a canonical type. The semantics takes a satisfying assignment for a context 
and maps a well-formed type to a set and a well-formed term to an element 
of the set corresponding to its canonical type. We then defined the syntactic 
operations of collecting the free variables in an expression and for substituting 
terms for variables in an expression. 

The simple type theory is then extended with type definitions. With this 
extension, two type expressions are treated as equivalent if they are identical 
after all type definitions have been expanded. The operation 6 returns the 
expanded form of a given type expression. 



Chapter 3 

Adding Subtypes 


Subtyping is one of the main features of the PVS specification language. 1 Sub- 
typing in PVS corresponds to the set-theoretic notion of a subset. It raises 
several delicate issues that were absent in the language presented thus far. In 
the simply typed fragment, each type corresponds to a set of values that is 
somehow structurally different from the set of values for another type so that 
a term has at most one type. Subtyping makes it possible to introduce the 
natural numbers as a subtype of the reals, and to treat the primes, the even 
numbers, and the odd numbers as subtypes of the natural numbers. With 
subtyping, a term can obviously have several possible types, but the type- 
checking function r may return only a single type. We constrain r to return 
a natural canonical type of an expression that is given by the declarations of 
the symbols in the expression. If the expression is used in a context where 
the expected type is a supertype of its canonical type, then the type correct- 
ness is straightforward. If the expected type is a subtype that is compatible 
with the canonical type of the expression, then typechecking generates proof 
obligations asserting that the expression satisfies the predicate constraints im- 
posed by the expected type. Two types are compatible if they have equivalent 
maximal supertypes. Type equivalence in the presence of subtypes is not a 
simple notion. Subtyping also introduces the possibility of types being empty. 
Typed lambda calculi with possibly empty types have been studied by Meyer, 
Mitchell, Moggi, and Statman [MMMS90]. This chapter introduces predicate 
subtypes and defines the notions of compatibility and type equivalence prior 
to presenting the type rules and semantics. 

We restrict our attention to contexts F that extend the declarations: 

bool : TYPE, 

1 The form of subtyping used in PVS is derived from a suggestion of Friedrich von Henke. 
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TRUE : bool, 

FALSE : bool, 

boolop : [[bool, bool]— ^bool] , 

-i : [bool— »bool] , 

V : boolop, 

A : boolop, 

D : boolop 

We will abuse PVS notation to employ the customary infix forms of operations 
like V, A, and D. The pretype corresponding to a predicate subtype has the 
form {x: T \ a} where x is a symbol, T is a pretype, and a is a preterm. 
A predicate type in PVS is a function type where the range is the primitive 
type bool. A predicate is a term that has a predicate type. If a is a term 
of type bool, then we can define the subtype { x : T | a} consisting of those 
elements e of T satisfying a[e/x\ (e substituted for x in a). Since the elements 
of the subtype {x:T \ a } satisfy the predicate A (x:T):a, we call this type a 
predicate subtype to distinguish it from other forms of subtyping. Universal 
quantification \/(x:T):a is just an abbreviation for the term (A (x:T):a) = 
(X(x: T): TRUE). Although we use the equality predicate in the definition of 
universal quantification and in the definitions below, the actual introduction 
of equality is deferred to a later section following the introduction of parametric 
theories. The equality between PVS terms of function type is to be interpreted 
as extensional equality. Note that the ‘=’ symbol is used both for the formal 
equality symbol in the language and for metatheoretic equality. 

Our first step will be to define the notion of a maximal supertype of a given 
type as p(T). A maximal type T is one such that //(T) = T. In a given context, 
we will apply n only to the expanded form (given by 5) of a type expression. 

Definition 3.1 (maximal supertype) 


H(s) 

p({x: T | a}) 

K[A~>B]) 


[A->p,(B)\ 

\m(Ai),h(A 2 )\ 


Note that since subtypes correspond to subsets, in taking the maximal super- 
type of a function type, the domain type is held fixed. In most type theo- 
ries with subtypes, the rule for subtyping between function types [A—tB] and 
[A'—yB'] requires showing that A 1 is a subtype of A, and B is a subtype of B’ . 
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Subtyping between function types is therefore said to be contravariant in the 
domain type and covariant in the range type. Subtyping on function types in 
PVS is covariant in the range type but is neither covariant nor contravariant 
in the domain type. This means that the function type [nat— mat] is not a 
supertype of the function type [int— mat]. Such a subtyping relation would 
violate extensionality . Two functions on nat are extensionally equal when 
they return equal values when applied to equal arguments in nat. Consider 
two functions in [nat— mat]: abs which returns the absolute value, and idnat 
which behaves as an identity function on natural numbers and returns 0 other- 
wise. These two functions will be erroneously identified if they can be viewed 
as being of type [nat— mat], and the subset interpretation of subtypes would 
be lost. 

We will also employ a weaker supertype po(T) or the direct supertype, that 
only considers supertypes of explicitly given subtypes of the form {x: T | o}. 

Definition 3.2 (direct supertype) 

p 0 ({x:T | a}) = p 0 (T) 

Po(T) = T, otherwise 


Example 3.3 (maximal supertype) Given a context containing the decla- 
rations 

int: TYPE, 

0: int, 

<: [[int, int]— )-bool], 
nat: TYPE = {?': int | 0 < i} 

natinjection: TYPE = {/: [nat— mat] | V(i, j: nat): /(*) = f(j) D i = j} 
we have 

yu(natinjection) = /i([nat— mat]) 

= [nat— >^(nat)] 

= [nat— *int] 

/i 0 (natinjection) = [nat— mat] 


Note that p(p(A)) = p(A). Note also that a maximal supertype is never a 
subtype. We can in fact collect the predicates that constrain a type A relative 
to its maximal supertype p(A) as 7 r(T). 
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7T(s) 

ir({y:T | a}) 
tt([Ai,A 2 ]) 


X(x: s ) : TRUE 

A(x: n(T)): (t r(T)(x) A a[x/y\) 

X{x\ [A-i>// (£)]): (V(y: A): 7 r(B)(x(y))) 

X(x: [p(A 1 ),p(A 2 )]): ^(A^pi x) A7r(A- 2 )(p 2 x)) 


Observe that in Definition 3.4, if r(r)(A) = TYPE, then r(r)(7r(A)) = 
[//(A)— )-bool]. 2 

Example 3.5 (subtype constraints) 

7r(nat) 

= X(j: int): 0 < j 
7r([nat— mat]) 

= X(g: [nat— »int]): V(i: nat): (A(j:int):0 < j)(g(i )) 

7r(natinjection) 

= A (/: [nat— Ant]): 7r([nat— >nat])(/) 

A (V(i, j: nat): f (i) = f(j) D i = j) 

= A (/: [nat— Ant]): 

(A (g: [nat— >-int]): V(b nat): (A (j: int):0 < j)(g(i)))(f) 

A (V (i, j : nat) : / (?) = / (j) D i = j) 


Observe that 7r(/t(A)) is essentially equivalent to X(x: //(A)): TRUE. 

Since the subtype (re: T \ p(x) A q(x)} can also be written as (a;: T \ q(x ) A 
p{x)}, we need a notion of equivalence between types. One way to do this is to 
make types “first-class” and to allow explicit theorems to be proved about type 
equivalence and subtyping. Since this would be a fairly drastic extension to the 
specification language, we have designed the PVS type system so as to avoid 

2 This is somewhat tricky in the case of n({y:T \ a}) since in a[x/y ], x has type 
/t(T), whereas y has type T. As shown in Chapter 6, the type rules for conjunc- 
tion are such that r(r,.r:VAR p(T))(tt(T)(x) A a) reduces to r(r,a::VAR fi(T))(ir(T)(x)) 
and r(r,.T:VAR g(T), ir(T)(x))(a[x/y]) where the first conjunct is added to the 
context as a contextual assumption. One can then show by induction that 
r(r, x: VAR y(T), -n{T){x)){a[x/y\) = r(r,t/:VAR T)(a). 
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any first-class treatment of types. It turns out that all the needed properties 
about types (such as equality and subtyping) can be obtained by generating 
ordinary proof obligations rather than by explicitly proving theorems about 
types. 

We introduce below a metatheoretic operation that generates the proof 
obligations needed to establish that two (maximal) types are equivalent. This 
equivalence is denoted by ~ and is applied only to maximal types and re- 
turns a list of the proof obligations that must be proved. Note the invariant 
in the definition below that the arguments to ~ are always maximal. The 
definition of ~ makes use of the PVS equality predicate that will be intro- 
duced later. A list of formulas is represented as ai,...,a n . Given two such 
lists ai, ... , 0 m and bi, ... ,b n , the concatenation of these two lists is written 
as Gq, . . . , o m , bi, ... , b n . 


Definition 3.6 (type equivalence proof obligations) 


(s ~ s) 

([A-+B] ~ [A'^B']) 
([Ai,A 2 ] ~ [Bi,B 2 }) 
(A~B) 


TRUE 

((p(A) ~ //(A')); (t r(A) = t r(A')); (£ c B')) 3 
((A l ~B l ) ] (A 2 ~B 2 )) 

FALSE, otherwise 


Example 3.7 (type equivalence) Building on the context given in Exam- 
ple 3.3, if we have the following variants of nat and nat inject ion: 

NAT: TYPE = {i : int | * < 0 D i = 0} 

NATinjection: TYPE = {/: [NAT-+NAT] | V(i,j: NAT): f(i) = f(j) D i = j} 
we get 

//([natinjection— ^natinjection]) = [natinjection— »[nat— »int]] 

//([NATinjection— ^NATinjection]) = [NATinjection— )>[NAT— »int]] 

//([natinjection— ^natinjection]) ~ //([NATinjection— ^NATinjection]) 

= (//(natinjection) ~ //(NATinjection)); 

(7r(natinjection) = 7r(NATinjection)); 

([nat— >■ int] ~ [NAT— * int]) 

3 The type correctness of the proof obligation (n(A) = n(A')) depends on the prior proof 
obligations p{A) ~ p(A'). 
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(7r(natinjection) = 7r(NATinjection)) 

= ( A(/: [nat— >int]): (A(g: [nat— >-int]): V(t: nat): 0 < g(i))(f) 

A (V(i, j: nat): f(i) = f(j) D i = j) 

A (/: [NAT— )-int]): 

(X(g: [NAT— >int]): V(?': NAT): g(i) < 0 D g(i) = 0 )(/) ) 
A (V(*,j:NAT):/(t) = f(j) D i = j) 

([nat— >• int] ~ [NAT— i-int]) 

= (int ~ int); 

(A(i: int): 0 < i) = (A(i: int): i < 0 D i = 0); (int ~ int) 


A basic question during typechecking is whether two types are compatible , 
that is, have the same maximal supertype. Two types are said to be com- 
patible if the type equivalence proof obligations on their respective maximal 
supertypes are provable. The provability of a formula a under context T is 
represented as b r a. 

Definition 3.8 (compatible) Two types A and B are said to be compatible 
in context T (in notation, ( A ~ B ) r ) if b r o, for each a in (n(A) ~ n(B)). 4 ■ 

We now extend the definition of <5 to the case of subtypes so that it leaves 
the predicate unchanged but expands the definition of the supertype. 

Definition 3.9 (expanded type with subtypes) 

«5(r)({^ : r | o» = p : <s(r)(T) iq 


We now extend the definition r to the case of subtypes. Here we could force 
r to always return a maximal supertype but this is not done in Definition 3.10 
since it would weaken the soundness theorem without significantly simplify- 
ing the definition of the type rules. The typechecking of contexts has to be 
modified to generate a nonemptiness proof obligation for the type of any con- 
stant declaration. A constant of an empty type would lead to an inconsistent 
context, and this would mean that constant declarations are not conservative 
extensions. This modification to Definition 2.4 is not needed for soundness 
since an inconsistent context makes soundness trivial. It is needed to show 

4 The PVS proof rules are described in Chapter 7. 
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that constant declarations and definitions are conservative extensions. Note 
that with subtypes, the type rule for an application is modified to check that 
the domain type of the function is compatible with the type of its argument, 
and that the argument satisfies any constraints imposed by the domain type 
of the function. The case of projection expressions is also not straightforward 
since the argument type can be a subtype of a tuple type. In this case, we use 
the direct supertype (see Definition 3.2) which must be a tuple type. 

Definition 3.10 (type rules with subtypes) 


r 0(r, c: T) 


t(T)({x:T | «}) 
r(r)(/ a) 


'lT)(p. a) 


CONTEXT, */T(c) is undefined, 
r(r)(T) = TYPE, 
r()(r) = CONTEXT, and 
b r (3(x: T): TRUE) 

TYPE, ifr(x) is undefined , 

r(r)(T) = TYPE, and r(T, x: VAR T)(a) = bool 

B , where p 0 (r(T)(f)) = [A->B\, 

r(T)(a) = A', 

(A ~ T') r , 

b r 7r(T)(a) 

Ai, where jUo(r(r)(a)) = [Ai,A 2 ] 


Example 3.11 (typechecking subtypes) Let T contain the above declara- 
tions of int, nat, 0, <, and natinjection. 


r(r)({f: int | 0 < ?'}) 

= TYPE 

r(T)((A(/: natinjection): /(0))(A(f: nat): ?')) 

= <5(T)(nat), if 

(natinjection ~ [nat— mat])r, 

hr V(j, k: nat): (A(i: nat): i)(j) = (A(f: nat): i)(k) D j = k, 
(int nat)r, and 
b r 0 < 0 
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Only one additional clause to Definition 2.6 is needed to capture the se- 
mantics of predicate subtypes. 

Definition 3.12 (meaning function with subtypes) 

| 7 )({x:T | a}) 

= {y E M(r | 7 )(T) | Al(r,a;:VAR T | 7 { x ?/})(a) = 1} 


Example 3.13 (semantics of predicate subtypes) If we assign the usual 
truth table interpretation to the Boolean function D: 

M{Y | 7 ) ( { / : [bool— S-bool] | \/(x: bool): x D f(x)}) 

= {{< 0 . 0 >, < 1 , 1 )}, {< 0 , 1 >, < 1 , 1 )}}. 


The following useful propositions are easily proved from the definitions 
given above. Proposition 3.14 asserts that the maximal supertype of a type is 
well typed. Proposition 3.15 asserts that the denotation of a type is a subset 
of the denotation of its maximal supertype. Proposition 3.16 asserts that if 
all the proof obligations in (A ~ .4') are valid relative to a given assignment 
7 for context T, then the denotations of A and A' under 7 are equal. 

Proposition 3.14 If r()(r) = CONTEXT and r(r)(A) = TYPE, then 

r (r)(MA)) = type. 

Proposition 3.15 If t()(T) = CONTEXT, r(r)(T) = TYPE, and 7 satisfies T, 
then 

1. A4(r | 7 )(T) C M{T I 7 )(ju(T)) and 

2. A4(r I 7 ) (A) C A4(r I 7 )(/io(A)). 

Proposition 3.16 If A and A' are maximal types in context T, i.e., 

1 . r()(r) = CONTEXT, 

2. r(r)(T) = r(r)(T') = TYPE, 

3. n(A) = A and ix(A') = A! 
and for each a in (A ~ A 1 ), 
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1. a = TRUE, or 

2. a = (ai = a 2 ) and Ad(r | 7)(oi) = ,A/f(r | 7)(a 2 ) holds , 
then M{V | 7) (A) = M(r | 7) (A'). 5 

Proposition 3.17 If r()(r) = CONTEXT and t(F)(T) = TYPE, then 

M(T | 7 )(T) = M(T \ 7 )({*:/*(T) | ir(T)(rc)}). 

We can now examine the updated forms of the invariants given by Theo- 
rems 2.11, 2.12, and 2.13. The proof of Theorem 2.11 remains straightforward. 
The statement of Theorem 2.13 must now be strengthened to include sound- 
ness, that is, if h r a and 7 satisfies T, then A4(F | 7) (a) = 1. For now, we 
assume soundness (Theorem 7.2) since we have not yet presented the proof 
rules. 

Theorem 3.18 (type soundness) //r()(T) = CONTEXT, 7 satisfies F, and 
r(r)(T) = TYPE then A1(T | y)(A) G U. 

Proof. There is only one new case to add to the induction proof of The- 
orem 2.12, namely, when A = {x:T \ a). In this case, by Definition 3.10, 
r(r)(T) = TYPE, so by the induction hypothesis, M{F | 7 )(T) G U. Since, by 
Definition 3.12, Ad(r | 7) (A) C M.{F | 7 )(T), we have MfF | 7 )(T) G U by 
Definition 1.1. ■ 

Theorem 3.19 (term soundness) If r()(F) = CONTEXT, 7 satisfies T, and 
r(r)(o) = A then 2W(r | 7) (a) G MfF \ y)(A). 

Proof. There are two affected cases in the proof from that of Theorem 2.13, 
namely, those of application and projection. The case of projection expressions 
is straightforward given Proposition 3.15. 

When a = (/ 6), by Definition 3.10, we have that r(F)(f) = [B—¥A] 
and r(F)(b) = B' . Let X be M( F \ 7 )(£), X' be M(r | 7 ){B'), and Y be 
M . (T | 7) (A). Then by Definition 2.6, M. (T | y)([B^-A]) = Y x . By the induc- 
tion hypotheses, Wf(r | 7 )(/) G Y x and Af(T j 7 )(b) G X' . By Definition 3.10, 
soundness of the proof rules (Theorem 7.2), and Propositions 3.15 and 3.16, 
there is a maximal supertype p(B) of both B and B' such that X and X' are 
both subsets of X\{F \ 7 )(p(B)). Since, by Definition 3.10, h r n(B)(b), and 
by Proposition 3.17, M.{F \ 7 )(B) = A4(r | 7) ({or: p(B) \ 7r(i?)(x)}), we have 
Af(r | 7 )(b) G M{F | 7 )(B), and hence by Definition 2.6, M.{F \ 7 )((/ b ) ) G 
M(r | 7) (A). ■ 

5 We remind the reader that the formulas a in (A ~ .4') are equalities, but we have not 
yet formally introduced equality into the language. 
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3.1 Summary 

PVS features a form of subtyping where it is possible to form the subtype 
of a type satisfying a given predicate on the type. This kind of subtyping 
introduces several delicate semantic issues into PVS. A term can now have 
several types since, for example, the term corresponding to the number 2 can 
be a prime number, an even number, a natural number, an integer, a rational 
number, or a real number. When the expected type is a subtype, the canonical 
type of the actual term must be compatible with the expected type, that is, 
the two maximal supertypes must be equivalent and the actual term must sat- 
isfy any subtype constraints imposed by the expected type. We have defined 
the notions of maximal supertype, subtype constraints, type equivalence, and 
compatibility. These notions are used to define the type rules and semantics 
of the simply typed fragment of PVS extended with subtypes. Note that both 
type equivalence (and hence, compatibility) and type correctness are undecid- 
able. Proof obligations generated during typechecking are the only source of 
such undecidability. The modularization of the type system into a decidable 
part consisting of the simply typed fragment, and the proof obligations gener- 
ated by subtyping, is perhaps the most significant design consideration in the 
PVS language. 



Chapter 4 

Dependent Types 


The PVS language fragment described thus far is already quite expressive. It 
employs definitional equivalence between types and contains predicate sub- 
types. It is undecidable whether an expression in this fragment is type-correct 
because of the proof obligations that arise with respect to predicate subtypes 
and type equivalence. The next step is the addition of type dependencies 
between the components of a type. This extension considerably enhances the 
utility of this type system. It is also a natural extension given predicate subtyp- 
ing which already allows types that depend on free variables in the predicates. 
With dependent typing, we can make the type of one component of a prod- 
uct depend on the value of another component, or the type of the range of a 
function vary according to its argument value. 

A dependent product type is written as [x:A,B\. A dependent function 
type is written as [x: A -*£?]. Any product or function type can be transformed 
into a dependent type by inserting dummy type bindings. Conversely, any 
dummy type bindings that do not actually bind any variable occurrences can 
be removed. The type rules and semantics below will assume that all product 
and function types are presented as dependent types. 

Example 4.1 (dependent types) 

[?': nat, {j: nat | j < «}], 

[?': nat, [{j: nat | j < «}— >-bool]], 

[*: int -t{j: int | i < j}}. 


Before we treat dependent types, we update the definitions of the set of 
free variables and substitution to account for the fact that with subtyping and 
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dependent typing, both free and bound variables can occur in terms and types. 
This is needed for the next step where we try to remove type dependencies by 
substituting a term into a dependent type. 

Definition 4.2 (free variables for types) 

FV(T)([x:A^B]) = FV(T)(A) U (FV(F,x: VAR A)(B) - (4) 
FV(T)([x:A,B}) = FV(F)(A) U (FV(F,x:VkR A)(B) - {x}) 
FV(F)({x:A | a}) = FV(F)(A) U (FV(F,x:VkR A)(a) - {x}) 


Definition 4.3 (substitution for types) 

[x: A^B][ai/xi ,. . . , a n /x n ] 

= [y: A[ai/x u a n /x n ]^B[y/x, a x /x n , . . . , a n /x n ]] 

[x:A,B][ai/xi,...,a n /x n ] 

= [y: A[ai/xi, a n /x n ], B[y/x, ai/xi , . . . , a n /x n ]] 

{x:A | a}[ai/x n , . . . , a n /x n ] 

= {y: A[a\/x \, . . . , a n /x n } \ a[y/x, a x jx n , . . . , a n /x n ]} 

where y is a fresh variable. m 

The definition of fi has to be modified slightly for dependent types. 
The definition is first extended to type bindings, / x{x:T ) = x:fa(T). The 
definition for the case of dependent function types is unchanged so that 
/i([x: A— >B}) = [x: A— >/u(B)\. The definition for the product case is more 
delicate since the definition fj,([x:A,B}) = [x: f.i(A), y,(B)\ results in a loss of 
type information regarding the occurrences of x in B. 1 To ensure that type 
information regarding x is retained, we define a new operation T\a which 
constrains the subtype assertions in type T with an additional assertion a. 

Definition 4.4 (Adding subtype constraints) 

s\a = s 

{x:T\b}\a = {x:T\aAb} 

[A— >B]\a = [T\a— >B\a] 

[A, i?]\a = [A\a, B\a] 


1 Doug Howe brought this problem to our attention. 
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We can now define the maximal supertype operation for dependent tuple 
types. 

Definition 4.5 (Maximal supertype for dependent product types) 

p([x:A,B}) = [x:p(A),B\-n(A)(x)} 


The definition of tt for a dependent function type [y: A—rB] is slightly 
different from that of an ordinary function type since i t(B) can contain free 
occurrences of the variable y. For example, i r([i: int— >•{_): int | i < j } ] ) must 
be A (/: [b int— ^int]): (V(b int): i < /(«)). The definition for dependent tuples 
remains essentially unchanged from that of ordinary products. 

Definition 4.6 (constraint predicates for dependent types) 

i r([y:A->B]) = (X(x: [y: A—¥p(B)]): (V(y: A): ir(B)(x(y)))) 

7r([y:A,B]) = (X(x: [y: p(A), p(B)\Tr(A)(y)]): 

tt(T)(pi. x) A 7r(S)(p 2 ®)[(pi x)/y]) 


Example 4.7 (dependent type predicates) 

p([i: int— >{j: int | i < j}]) = [i: int— )-int] 

7r([f: int— )-{j\ int I * < j}]) = A (/: [i: int— int]): 

V(d int): (A (j: int): i < j)(f(i)) 


The definition of ~ must also be massaged slightly for dependent types. 
Recall that ~ checks whether two maximal types are equivalent by generating 
proof obligations as needed. This is the basic operation for checking whether 
the expected type of an expression is compatible with its actual type. The sub- 
tlety now is that the expected type might be a dependent type where the actual 
type is not. Consider the case of the pair (5, (A(a;: {j: nat | j < 5}): a:)) whose 
type would be computed by r as [?': nat, [{j: nat | j < 5}— >-{j:nat | j < 5}]] 
where the expected type might be [b nat, [{;j: nat | j < ?}—)•{_): nat I J < <}]]■ 
To cope with this, we will allow the option of two maximal types, say A and 
B , to be compared using ~ in the context of an expression a. This is indicated 
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by the notation ( A ~ B)/a. Note that (A ~ B)/a is sensible only when A and 
B are maximal types. The missing cases in Definition 3.6 are included in Def- 
inition 4.8. For a list of formulas m, . . . , a„, let N(x: T): oi, . . . , a n ) represent 
the list (V(x: T ): cp), . . . , (V(z: T): a n ). 2 

Definition 4.8 (type equivalence for dependent types) 


(s ~ s)/a 
{[x:A^B] ~ [x'-.A'^B'}) 


([x:A-¥B] ~ [x':A'^B'])/a 


([®: A u A 2 ] ^ [y:B u B 2 ]) 


([a:: Ai,A 2 ] c- [y:B l ,B 2 ])/a 


(A ~ B)/ a 


TRUE 

(H{A) ~ n{A')); 

(tt(A) = 7T {A')); 

(\/(x: A): ( B ~ B'[x/x'])) 

=* m(A')); 

(tt(A) = tt(A')); 

(V(x: A): (B ~ B'[x/x'])/a(x)) 

(• A i ~ B x )- 

(V(z: A x ): (A 2 ~ B 2 [x/y])) 

(Ai ^ #i)/( P i a); 

(T 2 [( P i a)/x] ~ 5 2 [(pi a)/y])/( p 2 a) 
FALSE, otherwise. 


As with (A ~ £?) r , the notation (A ~ F?) r indicates that all the proof obliga- 
tions a 1 in (fj,(A) ~ y(B))/a are provable, that is, hr a! . 

With dependent types, the type rules must be modified so as to augment 
the context suitably to account for any dependencies. We will give the defini- 
tions only for dependent type constructions. 

Definition 4.9 (type rules with dependent types) 

r(r)([a:: A, B]) = TYPE, if F (x) is undefined, 
r(r)(A) = TYPE, and 
r(r, x: VAR A)(B) = TYPE 
r(r)([x: A—tB]) = TYPE, if F (x) is undefined, 

r(r)(A) = TYPE, and 
r(r, x: VAR A)(B) = TYPE 

2 Note that the type-correctness of the proof obligation (7r(A) = 7r(A')) in Definition 4.8 
depends on the prior proof obligations y(A) ~ y(A'). 
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T ( r )(f a) 


r(r)(A(x: A): a) 


r(r)(pi a) 
r(r)(p 2 a) 


B', where /i 0 (r(r)(/)) = [x:A->B], 
r(T)(a) = A', 

(A Z A') r , 

B' is B [a / x \ , 
h r n(A)(a) 

[x:A—tB\, where 
B = r(r,a::VAR T)(a) 

A l , where p 0 (r(T)(a)) = [x:Ai,A 2 ] 

A 2 [(pi a)/x\, where p 0 {r{T)(a)) = [x:A u A 2 ] 


Example 4.10 (dependent typing) 

r(r)([x: bool, {y: bool | x D j/}]) = TYPE 
r(r)([x: bool— >{y: bool | x D y}}) = TYPE 


Before we can assign meanings to dependent types, we must augment our def- 
inition of the universe U to contain sets corresponding to these constructions. 
If F is a function with domain set X and a range Y, which is a set of sets, we 
can define EF to be the set {(x, y) \ x 6 dom(F),y £ F(x)} and I1F to be the 
set {/ | (\/x £ dom(F): f(x) £ F(x))}. Note that I1F C (J YeEF p(X) but we 
include IIF in the universe U defined below for simplicity. We can drop X x Y 
and X 1 from the universe definition since X x Y can be obtained from E F by 
defining an F with domain X that always returns Y, and similarly, X y can 
be obtained by I1F where F is defined to with domain V to always return X. 
The universe U can then be redefined as below. 

Definition 4.11 (type universe with dependent types) 

U 0 = {2,R} 

u i+ 1 = Ui 

u u pm 

xeUi 

U {SF | FeWi} 
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U {ILF | F eWi} 

Wi = U u? 

xeUi 

U u = |J Ui 

ieoj 

U = U w 


One very important consequence of the above extension of the universe is 
that all type dependencies must be bounded in the sense that if B is a type 
expression with a single free variable x of type A, then it must be the case that 
for any set [A] representing A, there is a bound n such that for any z in [A], 
the meaning of B under {x <— z} must be in U n . This property is easily proved 
by induction on the structure of a PVS type since the parameter x can appear 
only in the predicate part of a subtype where the rank of the meaning of the 
resulting type cannot vary with the value of x. In particular, there is no way 
to define a type constructor T n in PVS that returns the n- tuple [T, [. . . , T] ] 

n 

for a given n since this would entail an unbounded dependency. If unbounded 
type dependencies were allowed in PVS, one can construct a dependent type 
such as [n: nat— »T n ] whose representation is not in U as defined above. 

The meaning function for dependent types is obtained by adding the cases 
corresponding to dependent product and function types. All the other cases 
are unchanged from Definition 3.12. Note that the semantic definition for 
dependent types is equivalent to the nondependent one when there are no 
dependencies. 

Definition 4.12 (meaning function with dependent types) 

A/f(T | 7 )([x:A,B]) = S F, where 

F maps z E M(T \ 7) (A) to 
Af(r,a:: VAR A \ j{x t— z})(B) 

Af(r | 7) ([or: A— >B]) = IIF, where 

F maps z E M(T \ 7) (A) to 
Af(r,a::VAR A | j{x E- z}) (B) 
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Example 4.13 (meaning function with dependent types) 

•A4(r | 7)([x: bool, {y: bool | x D y}}) = {(0, 0), (0, 1), (1, 1)} 
-M( r | 7)([z:bool->{?/:bool | x D y}]) = {{(0, 0), (1, 1)}, 

{( 0 , 1 ), ( 1 , 1 )}} 


We now need to show that the extensions corresponding to dependent types 
preserve the properties in Theorems 3.18 and 3.19, namely, Af(T | 7)(T) G U 
and Ad(r | 7) (a) G A4(T | 7)(r(r)(a)). For the former, we prove a stronger 
theorem that incorporates the rank-boundedness of dependent types. 

Theorem 4.14 (rank bounded type semantics) If B is a pretype, 
x\,...,x n is a list of symbols, Ai, ... ,A n is a list of pretypes such that 

1. r()(r, xp. VAR A u . . . , x n : VAR A n ) = CONTEXT, 

2. r(r, xp. VAR Ai, . . . , x n : VAR A n )(B) = TYPE, and 

3. 7 is an assignment satisfying T, 

then there is an i such that for any list of values z \ , . . . , z n where 7 ( 0:1 <— 
Zi} . . . {x n t— z n } is a satisfying assignment for T, xp. VAR A \ , . . . , x n : VAR A n , 
we have 

M(X,xp. VAR Ai , . . . , x n : VAR A n \ y{xi <— Zi} . . . {x n <- z n })(B) G Up 

Proof. The proof is by structural induction on the pretype B. Let T' denote 
T,o:i:VAR A\, . . . , x n : VAR A n , 7' denote 7(27 <— Zi}...{x n <— z n }, and [C] 
denote Ai (T' | 

1. B = s: Since [B] is just 7 (B) by Definition 2.6, we have that there is 
an i such that [£?] G U t regardless of the choice of values Zi, ... ,z n . 

2. B = {y:T \ o}: By the induction hypothesis, we know that for some j , 
it is always the case that [T] G Uj. By Definition 3.12, we have that 
[5] C [T] so if we let i = j + 1, then by Definition 4.11, it is always the 
case that [5] G Lf. 
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3. B = [y:C—*D\-. By Definition 4.9, r'(j/) is undefined, r(r , )(C') = 
TYPE, r()(r', y. VAR C) = CONTEXT, and r(r',y:VAR C)(D) = TYPE. 
By the induction hypothesis, for some j, it is always the case that 
M(T' | ”f'){C) e Uj, and for some k, it is always the case that 
for any satisfying assignment 7 '{y <— w } for Y' , y: VAR ( 7 , we have 
M{V, y : VAR C | 7 '{y <— w})(D) e Ut ■ Then the function F mapping w 
in A4(r')(C) to A4(r', y: VAR C \ 7 '{y t— w})(D) is an element of Wj + k- 
Letting i be j + k + 1, we have by Definition 4.12 that M(T' \ 7 '){B) is 
flF and is hence an element of Ui by Definition 4.11. 

4. B = [y: C,D]: Similar to the previous case. 


By choosing n to be 0, the previous theorem yields the result that when 
t(T)(B) = TYPE, M(r I 7 )(fl) e u. 

We next need to establish that for any preterm o, if r(r)(o) = A, then 
A4(r | 7 ) (a) G A4(r | 7 )(^ 4 ). The first step in this direction is the proof of 
the substitution lemma below. 

Proposition 4.15 If t()(T) = r()(T / ) = CONTEXT where for each s, T(s) is 
defined if and only ifT'(s) is defined, and 7 is an assignment satisfying both 
T and T', then 

1. IfT(s) = T'(s) (i.e., they are equal tuhen either T(s) or r'(s) is defined), 
then 

(a) r(r)(a) = r(T')(a), for any preterm a. 

(b) r(r)(T) = r(r')( J 4), for any pretype A. 

2. M{T | 7 ) (74) = M{T' \ 7 )(A), when r(r)(yl) = TYPE. 

3. A4(r | 7 )(o) = A4(T' | 7 ) (a), for any preterm a such that r(r)(a) is 
defined. 

Lemma 4.16 (substitution lemma) If r()(r,a;:VAR A) = CONTEXT, 

r(r)(o) = A, then 

1. //r(r,a::VAR A) (b) = B, then 

A4(r | 7 )(b[a/x]) = A4(r,a::VAR A \ 7 {x <— A4(r | 7 ) (a)}) ( 6 ). 

2. If t(T,x:VAK A)(C) = TYPE, then 

A4(r I 'y)(C[a/x])=M(r,x:VARA \ j{x <- A4(r | 7 )(o)})(C'). 
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Proof. The proof is by simultaneous structural induction on the preterm 6 
and the pretype C. The following cases deal with the preterm b. 

1 . b = s : If s = x, then by Definition 4.12, the left-hand 

side A 4 (T | 7 )(b[a/x]) is A 4 (T | 7) (a), and the right-hand side 
A 4 (T, ax VAR A I y{x <— A 4 (T | 7) (a)}) (6) is also A 4 (T | 7) (a). 

If s ^ x, then by Definition 4.12, the left-hand side and the right-hand 
side are both equal to 7 (s). 

2. b = (A (y:C):d): Since C can contain free occurrences of x, we 

have by the induction hypothesis that A4(T | 7 ){C[a/x]) = 

A4(T,axVAR A I y{x G- A4(T | 7)(a)})((7). Also, 

A 4 (T | 7) ((A (y:C): d)[a/x\) is equal to the set of ordered pairs ( v,z ) 
such that v G A4(T | 7)(<7[a/a;]) and z = A4 (T, ?/: VAR C[a/x] | 7 {y G- 
v})(d[a/x]). 

By the induction hypothesis, A4(T, y: VAR C[a/x] | 7 {y G- v})(d[a/x]) = 
A4(T, y: VAR C[a/x], x: VAR A \ 7(2/ G- n}{a; G- A4(T | 7) («■)}) (d). Since 
x does not occur free in C[a/x], by Proposition 4.15 we can exchange 
the occurrences of y and x so that A4(T, y: VAR C[a/x],x: VAR A | 7 {y G- 
f}{a; G- A4(T | 7)(o)})(d) = A4(r, axVAR A,y:V AR C[a/x] \ y{x G- 
M{T I 7 )(o)}{y G- v})(d). 

By Definition 4.12, the right-hand side is the set of ordered pairs of the 
form (v,z) such that v G A4(T,axVAR A \ y{x G- A4(T | 7)(a)})(C) 
and z = A4(T,axVAR A,y:V AR C | 7(2; G- A4(T | 7)(a)}{y G- 
t>})(d). By Proposition 4.15 and the induction hypothesis, we know 
that A4(T,axVAR A,y:V AR C \ y{x G- A4(T | 7)(a)}{y G- v})(d) = 
A4(T,axVAR A, y.VAR C[a/x] \ y{x G- A4(T | 7 )(o)}{?/ G- v})(d), and 
hence it follows that the two sets of ordered pairs are equal. 

3. b = (/ c): In this case, b[a/x\ = ( f[a/x ] c[a/x ]) and the conclusion 
follows easily from the induction hypothesis and Definition 4.12. 

4. b = (61,62): The conclusion follows easily from Definitions 2.15, 4.12, 
and the induction hypotheses. 

5. 6 = (p* c): This case is also straightforward since b[a/x] = 

(pi c[a/x\), and by the induction hypothesis, A 4 (T,axVAR a \ y{x G- 
M{V I 7)(a)})(c) = M{T | 7 ){c[a/x\). 

The remaining cases deal with the pretype C. 
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1. C = s: This case is trivial since by Definition 2.15, C[a/x\ = C and the 
left-hand and right-hand sides both reduce to 7 (C). 

2. C = {y:T \ d}: The argument here follows along the lines of the b = 
(A (a?: C ): D) case above. By the induction hypotheses, we know that 

Ad(r,x: VAR A | y{x^M(r | 7 )(a)})(T) 

= M r I 7 )(T[a/x]) 

A4(r,y:VAR T[a/x],x: VAR A \ 7 {y <— z}{x <— A4(r | 7 )(a)})(d) 

= M(r, y. VAR T[a/x\ | 7 {y G- z})(d[a/x]), 
for any z £ M(T | 7 )(T[a/x] ) 

The conclusion follows from Proposition 4.15 and Definition 4.12. 

3. C = [y: C'i^C' 2 ]: The argument here is similar to that of the previ- 
ous case. Essentially, by the induction hypothesis and Proposition 4.15, 
the function mapping 2 6 M(r,x:VAK A | 7 { x G- A4(r | 7 )(a))(Ci) 
to A4(r,y:VAR Ci[a/x], x: VAR A | 7 {y G- z}{x G- A4(r | 7 )(a)})(C' 2 ) 
is the same as the function mapping z G A4(r | ^(C^a/a:]) to 
A4(r,y:VAR Ci[a/x] | 7 {y G- z}){C 2 [a/ x}). 

4. C = [y: Ci, C 2 ]: Similar to the previous case. 


Proposition 4.17 is stated below without proof. It asserts the semantic 
equivalence with respect to term a of types A and B when (A ~ B) r holds. 
Note that its correctness depends on the soundness of the proof rules. 

Proposition 4.17 If t()(T) = CONTEXT, a is a preterm such that r(r)(a) = 
B, and (A ~ B) r, then A4(r | 7 )(a) G A4(r | 7 )(T) iff M(T | 7 )(a) G 
M(T | 7 )(B). 

Theorem 4.18 If t()(T) = CONTEXT, 7 is an assignment satisfying T, and a 
is a preterm such that r(r)(a) = A, then A4(T | 7 )(a) G A4(r | 7 )(T). 

Proof. The proof is by induction on the structure of the preterm a. 

1. a = s: Then by Definition 4.12, A4(r | 7 )(a) = 7 (a), and by Defini- 
tion 2.8, we have that 7 (o) G A4(T ] 7 )(T). 
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2. o = (A (x:C):b): By Definition 4.9, we have r(r)(o) = A = 

\x: C— >r(r, x: VAR C) (6)]. Let B label r(Tyx: VAK C)(b). We know that 
A4(r | 7 ) (A) is of the form LIF where F maps z E A4(r | 7 ) ((7) to 
M(T, x:VAK C | y{x «— z})(B). 

By the induction hypothesis on b , we know that for any z E A4(r | 7 ) ((7), 
A4(r,x:VAR C | y{x «— z})(b) E A4(r,x:VAR C \ y{x «— z})(B). Since 
by Definition 4.12, A4(r | 7) (a) is a function mapping z E A4(r | 7 )((7) 
to A4(r,x:VAR C | 7{x «— z})(b), we have A4(r | 7 )(o) E I1F by the 
definition of n. 

3. a = (/ 6): By Definition 4.9, we have that r(r)(/) = [x: .£?— kA'], 
r(r)(6) = B ' , (£? ~ -B')r, >1 = A'[a/a;], and hr 7r (B)(b). We know 
by the induction hypothesis that A4(r | 7 )(/) E A4(r | 7 ) ([a;: B—tA 1 ]) 
and A4(r | 7 )(b) E A4(r | 7 )(£?'). By Propositions 4.17 and 3.17, 
A4(r | 7) (6) E A4(r | 7 )(p(B)). We therefore have by Proposi- 
tion 3.17 that A4(r | 7 ) (6) E A4(T | 7)(-B). By Definition 4.12, 
A4(r | 7) (a) E M(Y,x-. VAR B \ y{x <— M{T | 7 )( 6 )})(A'), and hence by 
Lemma 4.16 it follows that A4(r | 7 ) (a) E A4(r | 7 )(A'[b/x]). 

4. a = (01, <22): The conclusion follows easily from the induction hypothesis 
and Definition 4.9. 

5. a = (p, b): The conclusion follows easily from Proposition 3.17, the 
induction hypothesis, and Definition 4.9. The (p 2 b ) case also employs 
Lemma 4.16. 


4.1 Summary 

Dependent typing is a significant enhancement to PVS since it adds an im- 
portant degree of flexibility and precision to the type system. Notions such 
as subtype constraints and type equivalence that were introduced for subtyp- 
ing can be extended for the case of dependent types. The semantic universe 
must be extended to include additional sets to accommodate the semantics 
of dependent types. The rank-boundedness of type dependencies is crucial 
in demonstrating that dependent types can be interpreted in this extended 
semantic universe. 



Chapter 5 

Theories and Parametric 
Theories 


The next extension of the PVS language introduces theories and parametric 
theories. The theory construct of PVS provides a way of packaging together 
a related collection of declarations. Theories can be parametric in individual 
or type parameters. Thus, PVS permits polymorphism or type parametricity 
only at the theory level rather than at the declaration level as in HOL [GM93]. 
We first consider PVS theories without parameters. The main change now is 
that contexts are no longer simple and can contain theory declarations as well. 
A theory declaration has the form m: THEORY = A, where A is a simple context 
with no variable or theory declarations. If T(m) is the declaration m: THEORY = 
A, then kind(T(m)) = THEORY, and definition(T (m)) = A. Correspondingly, 
constants and type names are no longer just symbols but can be compound 
names of the form m.s where m is a symbol naming a theory and s is a symbol 
corresponding to the constant or type name. 

5.1 Theories without Parameters 

To define the type rules for theories, we first modify the definition of r for 
simple contexts so that the context argument is not always empty. Here A; 1 
represents the concatenation of contexts. 

Definition 5.1 (type rules for contexts) 

r(0)({}) = CONTEXT 

r(0)(r,s : TYPE = T) = CONTEXT, ifT(s) and 0(.s) are undefined, 

r(0)(T) = CONTEXT, and 
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t(0; T)(T) = TYPE 

r(0)(r,c:T) = CONTEXT, ifP(c) and, 0(c) are undefined, 
r(0)(r) = CONTEXT, and 
r(0; T)(T) = TYPE 

r(0)(r, x: VAR T) = CONTEXT, «/r(ic) and Q(x) are undefined, 

r(0)(r) = CONTEXT, and 
r(0; T)(T) = TYPE 


Example 5.2 (type rules for contexts) 

r(n)(real: TYPE, 0: real, <: [[real, real]— >bool]) = CONTEXT 


The following rule handles theory declarations. 

Definition 5.3 (type rule for contexts with theory declarations) 

r(0)(r, m: THEORY = A) = CONTEXT if are undefined 

A only has constant and type declarations, 
r(0; T)(A) = CONTEXT, 
r(0)(T) = CONTEXT 


Example 5.4 (contexts with theory declarations) 

r(0)(reals: THEORY = (real: TYPE, 0: real, <: [[real, realj^bool])) 
= CONTEXT 


Any reference to a type name or a constant s declared in a theory rn 
outside of this theory must be prefixed by the theory name, as in rn.s. Note 
that references to a type name or constant that is declared in the same theory 
should not be given a theory prefix. Before we can give the type rules, we must 
update the definition of the type expansion operation <5 to prefix symbols with 
their theory names. Let r(m)(s) abbreviate definition^ which is the 
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declaration of the symbol s in the definition of the theory rn. Let r/(L, m)(o) 
be the result of prefixing every unprefixed type or constant symbol in a by m, 
where a is either an individual or type expression. We omit the definition of 
77 since it is straightforward. 

We modify the definition of 6 in Definition 2.16 with the following clauses. 

Definition 5.5 (expanded type for prefixed symbols) 

5(r)(m.s) = S(r)(rj(r,m)(definition(r(m)(s)))), if 
definition(T(m)(s )) is nonempty. 

5(r)(m.s) = m.s if definition(T(m)(s)) is empty. 


Example 5.6 (expanded type for prefixed symbols) Let Q" be the con- 
text 


fl, reals: THEORY = (real: TYPE, 

0: real, 

<: [[real, real]— >-bool], 

nonnegxreal: TYPE = (ax real I < (0,z)}, 

1: nonnegjreal) 


t>( 0 ") (reals. nonnegxreal) = (a:: reals. real | reals. < (reals. 0, x)} 


The type rules for prefixed symbols are given below. 

Definition 5.7 (type rules for prefixed symbols) 

r(r)(m.s) = TYPE, if kind(T(m)) = THEORY cmd 
kind{T(m)(s)) = TYPE 

r(T)(m.s) = 8(T)(r](r,m)(type(r(m)(s)))), 
if kind(T(m)) = THEORY and 
kind(T(m)(s)) = CONSTANT 
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Example 5.8 (type rules for prefixed symbols) 

t(Q") (reals. nonneg_real) = TYPE 

t(Q") (reals. l) = {x: reals. real | reals. < (reals. 0, 2 :)} 


The operations 7 r, and /_/ remain unchanged. An assignment 7 now maps a 
theory name m to an assignment 7 (m). 

Definition 5.9 (meaning function for prefixed symbols) 

A4(r | 7 )(m.s) = 7(m)(s) 


Example 5.10 (meaning function for prefixed symbols) Let u>" be a 

satisfying assignment for f l" of the form 

. . . {reals <— (real <— R}{0 <— 0} . . .} 


M(Pl" | to") (reals. real) = R 
Mifil" | w")(reals.O) = 0 


Definition 5.11 (satisfaction for contexts with theories) An assign- 
ment 7 satisfies a context T if in addition to the constraints stated in 
Definition 2.18, 7 maps every theory m declared in T to a satisfying assign- 
ment for the body of the theory given by definition{T{m)), that is for each 
declared symbol s in m,: 

1. If kind(T(m)(.s)) = TYPE, then 7 (m)(s) G U. 

2. If kind{T{rn){s)) = CONSTANT, then 7(m)(.s) G A 4 (r | 7)(r(r)(r77...s)). 

3. If definition(T(m)(s)) is nonempty, then 


7(m)(s) = M(T\'j)(r](T,m)(definition(T(m)(s)))). 
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5.2 Constant Definitions 

We first extend the subset of PVS described so far to include constant def- 
initions in a manner similar to type definitions. This extension is used in 
formalizing the semantics of parametric theories. The syntax for a constant 
definition is c:T — a where definition^ (c)) is a. These definitions are ex- 
plicit, that is, not recursive. With this extension, the type rule for constant 
declarations in contexts changes from that of Definition 3.10. 

Definition 5.12 (type rule with constant definitions) 

r(0)(T, c: T = a) = T, if T (c) is undefined, 

0(c) is undefined , 
r(0)(T) = CONTEXT, 

r(0;T)(o) = r, 

(T - T')r, 
br 7r(T)(a) 


The notion of satisfaction must be extended from that of Definition 5.11 
to ensure that an assignment for a defined constant satisfies the definition. 

Definition 5.13 (satisfaction with constant definitions) An assign- 
ment 7 satisfies a context T if in addition to the conditions in Definition 5.11, 
whenever kind(T(s)) = CONSTANT and definition^ (s)) is nonempty, then 
7 (s) = A4(r | j)(definition(T(.s))). m 

5.3 Parametric Theories 

The extension to parametric theories is obtained by permitting theories to be 
declared as m[U\: THEORY = A, where II is a context listing the parameters 
and A is the body of the theory. If the above declaration of m. occurs in 
context T, then II is formals(T{m)), and A is definition{Y{m)). For nonpara- 
metric theories, formats (T fm)) is empty. Types or constants declared in a 
parametric theory are referenced outside the theory as m[a].s, where ex is a 
list of actual parameters consisting of types and terms. The type rule from 
the nonparametric case must be modified to check the parameters. 
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Definition 5.14 (type rule for contexts with parametric theories) 

r (0) (r, m[n] : THEORY = A) 

= CONTEXT i/r(m),0(m),n(m) are undefined 
r(0)(r) = CONTEXT 
r(0;r)(n) = CONTEXT, 
ft has only constant and 
type declarations without definitions, 
r(0;r ; n)(A) = CONTEXT 
A only has type and constant declarations 


The type rules for prefixed symbols are given below. The notation IT = o, 
where TI is of the form si : oti, . . . , s n : a n , and o is of the form <7i, . . . , o n , 
is short for the context Siiox = oy, . . . , s n : a n = o n . The definition of 
p is now extended to substitute actual theory parameters for formals, so 
that ? 7 (r, m[<r])(a) prefixes every unprefixed symbol s in a that is declared 
in definition(T(m )) by m[a\, and replaces any s t in a that is declared in 
formals(T(m )) by the corresponding Oi in o. 

Definition 5.15 (type rules for prefixed names with actuals) Let II 

be formals (T(m)). 

r(r)(m[a].s) = TYPE, if 

kind(T(m )) = THEORY 
kind(T(m))(s) = TYPE and 
r(r)(II = cr) = CONTEXT 

r(r)(m[(r].s) = S(T)((r](r,m,[a})(type(r(m,)(s)))), 
if kind(T(m )) = THEORY 
kind(T(m)(s)) = CONSTANT and 
r(r)(n = a) = CONTEXT 


Definition 5.16 (type expansion with parametric theories) 

5(r)(m[cr].s) = 5(T)((r)(T,m[a])(definition(r(m)(s))))), if 
definition(T(m)(s )) is nonempty. 

5(r)(m[cr]..s) = m[<j\.s, if definition(T(m)(s)) is empty. 
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The definition of an assignment for a context with parametric theories 
is a bit complicated. In the nonparametric case, 7(777.) simply returns an 
assignment of values for the types and constants declared in the theory m. 
For the case of parametric theories m , 7(777) returns a function that maps the 
meaning of the given actuals o to an assignment 7(777.) (A4(r | 7)(cr)) for the 
types and constants declared in the theory m.. There is an important restriction 
that 7(777.) must be rank-preserving , that is, if w and w' are assignments for II 
so that for each i where II, is a type parameter, the rank of will,) equals the 
rank of w'fU-i), then the ranks of 7(777) (gj)(s) and 7(777.) {vo') (.s) must be the 
same for each type symbol s declared in 777. 

It is also important to observe that the semantics of parametric theories 
makes use of the axiom of choice since the assignment corresponding to a 
theory m of the form m[t: TYPE]: THEORY = {c: t} is essentially a choice function. 

Let 7{n «— w} represent the assignment such that 7(1! t— w}(s) = w(s) 
for s in the domain of the context II, and 7(s), otherwise. The meaning of 
symbols of the form m[o].s can then be defined as below. 

Definition 5.17 (meaning function for prefixed symbols with actuals) 


A4(r I 7)(777[<r].s) 

= A4(r ; n ; a | 7 {n <— g 7}{A <— 7 (t? 7 .)(tj 7 )})(s), where 
II = formals(T(m)) 

A = definition(T (m)) 

w(r) = A4(r | 7 )((n = cr)(r)), for r G II 


The definition of a satisfying assignment given in Definition 5.11 also must 
be strengthened. Let II be the formal parameters to theory m in context F: 
then, an assignment w is said to be satisfying parameter assignment for II 
under the assignment 7 to T iff 7{II -e- wj is a satisfying assignment for II. 

Definition 5.18 (satisfaction for contexts with parametric theories) 

An assignment 7 satisfies a context T if in addition to the constraints stated 
in Definition 5.11, 7 maps every parametric theory m. declared in F with 
parameters II and definition A, to a function that maps any satisfying pa- 
rameter assignment w for the theory parameters II (namely, formals(T(m))) 
to a satisfying assignment 7{II t— w}{A 4 — 7(777.) (w)} for A (given by 
definition(r (777 .)) ) . m 
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5.4 Summary 

Theories are used to package related declarations together. Parametric the- 
ories can be used to package together declarations that are generic in type 
and individual parameters. The type rules for contexts must be extended to 
accommodate the theories. The type rules for simple (nonparametric) theories 
are straightforward given this extension. The operation of expanding a type 
using type definitions must be enhanced so that symbols declared in a theory 
are prefixed with their theory name when referenced outside the theory. As- 
signments now have the same nested structure as contexts, and the semantic 
definition is easily extended to handle prefixed symbols. Parametric theories 
are more complex. The theory prefixes now contain actual parameters that 
have to be typechecked relative to the expected formal parameters. The as- 
signments corresponding to parametric theories are functions that map given 
assignments for the formals to assignments for the declarations within a the- 
ory. Such a mapping must be constrained to be rank-preserving. Parametric 
theories can have subtype parameters, and assumptions on the parameters. 
The rules for subtype parameters and assumptions are omitted for now but 
will be included in an expanded version of this report. 



Chapter 6 

Conditional Expressions and 
Logical Connectives 


We have, so far, introduced the core of PVS containing types, type definitions, 
constant and variable declarations, subtypes, dependent types, and theories. 
In extending the language with both explicit and recursive constant definitions 
and formulas, a crucial difference is that the logical context under which a 
type-correctness condition is generated provides additional assumptions that 
can be used in proving any proof obligations. Examples of expressions where 
an extended context is needed to establish type correctness by discharging 
proof obligations include 

1. x ^ y D (x+y)/(x — y) < 0. The type of the division operator constrains 
the denominator to be nonzero, that is, {a” real | x ^ 0}. In the given 
expression, the denominator can be shown to be nonzero only in the 
context of the antecedent x ^ y. 

2. IF(i > 0, i, —i) has type nat given integer i provided the then and else 
parts are typechecked with the assumptions i > 0 and -<(i > 0), respec- 
tively. 

PVS has a polymorphic primitive equality predicate: 

equality [T : TYPE] : THEORY = { =: [[T, T] -> bool] } 

Note that an equality of the form equality[T].=(o, b) is informally written 
as a = b. When it is relevant to indicate the type parameter, we write the 
equality as a =t b. It can be deduced from the meaning of equality that if 
S' is a subtype of T, then for a and b in S, it must be the case that a =s b 
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iff a =t b. Thus, we can assume that equality is always parameterized by 
a maximal type. We assume that any relevant context Y contains the above 
declaration of the theory equality. Furthermore, any satisfying assignment 
7 for such a F must satisfy 

7(equality)pf)(=) = {(x,x) if iGl}. 

The negation operation can be defined in terms of equality as shown below. 
We assume that the context contains a declaration of the form 

-i : [bool^bool] = (A (x : bool): x = FALSE) 

As is clear, a satisfying assignment 7 for a context T containing the above 
declaration must be such that yields the usual truth-table semantics, that 
is, {( 0 , 1 ), ( 1 , 0 )}. 

We can then introduce the polymorphic IF-THEN-ELSE operation as fol- 
lows: 

if _def [T: TYPE]: THEORY = { IF: [bool,T,T -> T] } 

In typechecking conditional expressions, the notion of context has to be 
extended to include formulas so that the typechecking of the subterm b in 
IF(a, 6, c) is done in the context of a, and the typechecking of c is done in the 
context of ~>a. There is one new typechecking rule for contexts with formulas. 

r()(r, a) = CONTEXT, if 

r()(r) = CONTEXT, and 

( r (r)(a) bool)r 

Note that the type rule checks that the type of a is compatible with bool 
rather than equivalent to it since it is possible that the type of a might be a 
subtype of bool. 

Definition 6.1 (satisfaction for contexts with formulas) An assign- 
ment 7 satisfies context T when in addition to the conditions in Definition 5.18, 
for each prefix r',o ofT, M{Y' | 7) (a) = 1 . ■ 

The typechecking of conditional expressions is different from that of other 
application expressions since the test part of the conditional expression is 
introduced into the context as a contextual assumption. 
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Definition 6.2 (type rule for conditional expressions) 

r (r)(if-def [T].IF(a, b, c)) = T, if (t(T)(o) ~ bool) r , 

r(T,a)(b) = B, 

(B ~ T ) r , a , 

7r(r)(6) 

r(r,^a)(c) = C, 

(C ~ T) r ,^, 

h r ,^ ir(T)(c) 


The meaning of conditional expressions must be treated in a special way 
since the else part need not denote when the test part is true and, correspond- 
ingly, the then part need not denote if the test part is false. We assume that 
any relevant contexts T contain the above declaration of the if _def theory. 
Conditional expressions can be regarded as a new construct in the language 
rather than a form of application. However, it is conservative to regard con- 
ditional expressions as applications since the latter introduce the additional 
constraint that all the arguments must already denote, that is, applications 
are strict. 


Definition 6.3 (meaning function for conditional expressions) 


Af(r | 7 )(if_def [T].IF(g, 6, c)) 


f M(T 

1 7) (&), 

ifM(T | 

\ M(T 

7)(c), 

otherwise 


The semantics for conditional expressions raises an important issue. The 
equality 


if _def [bool].IF(a:, y, FALSE) = if _def [bool].IF(y, x, FALSE) 

is semantically valid for variables x and y of type bool. An expression like 
if _def [bool].IF(?' ^ 0,1 ji > 0, FALSE) can be typechecked to have the type 
bool since it generates a valid proof obligation j / 0 D i ^ 0, but the seem- 
ingly equivalent expression if _def [bool].IF(l/7 > 0,i ^ 0, FALSE) generates 
an unverifiable proof obligation % / 0. This may seem contradictory since the 
equality suggests a transformation of a type correct conditional expression to 
a type incorrect expression. The resolution here is that equality cannot be 
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instantiated with j ^ 0 for x and 1/i > 0 for y since the expression 1/i > 0 
typechecks as having type bool only when i 7^ 0 is known from the context. 
The same applies in the case of the other propositional connectives, thus en- 
suring that each expression is type correct in the context in which it occurs. 

We can then define the propositional connectives in terms of conditional 
expressions. 

A: [[bool, bool]— S-bool] = X(x: bool, y: bool): if _def [bool]. IF(:r, y, FALSE) 
V: [[bool, bool]— doool] = X(x: bool ,y: bool): if_def [bool].IF(a;, TRUE, y) 
D: [[bool, bool]— doool] = X(x: bool,?/: bool): if _def [bool]. IF(a;, y, TRUE) 


In the typechecking of terms of the form o A b, we follow the corresponding 
rule for the definition so that the term a is assumed in the context when 
typechecking term b. Similarly, for a V b, the formula ->a is assumed in the 
context when typechecking b , and for a D b, the formula a is assumed in the 
context when typechecking b. The Boolean equivalence operator IFF has no 
special rules for adding formulas to contexts during typechecking. 


6.1 Summary 

The use of assumption formulas enables expressions to be typechecked within 
the narrow context of their use so that the governing assumptions can be used 
in discharging any proof obligations. The type rules for conditional expressions 
and the Boolean connectives A, V, and D make use of contextual assumptions. 



Chapter 7 

Proof Theory of PVS 


The final step in the presentation of the semantics is the presentation of the 
proof rules for the idealized subset of PVS described thus far. As already indi- 
cated, the proof theory is an integral part of the semantics since typechecking 
and proof checking are closely intertwined. Fortunately, the proof rules turn 
out to be much less complicated than the type rules. 

The PVS proof theory is presented in terms of a sequent calculus. A 
sequent is of the form E hr A, where T is the context, E is a set of antecedent 
formulas, and A is a set of consequent formulas. Such a sequent should be read 
as stating that the conjunction of the formulas in E implies the disjunction of 
formulas in A. 

Inference rules are presented in the form 
premise(s) 

7 — : — name side condition 

conclusion 

7.1 PVS Proof Rules 

7.1.1 Structural Rules 

The structural rules permit the sequent to be rearranged or weakened via the 
introduction of new sequent formulas into the conclusion. All the structural 
rules can be expressed in terms of the single powerful weakening rule shown 
below. It allows a weaker statement to be derived from a stronger one by 
adding either antecedent formulas or consequent formulas. The relation Ex C 
S 2 holds between two lists when all the formulas in Ei occur in the list S 2 . 

Ei hr Ai 

— — W if S x C E 2 and Ai C A 2 

S 2 h r A 2 
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Both the Contraction and Exchange rules shown below are absorbed by the 
above weakening rule W. The Contraction rules C b and b C allow multiple 
occurrences of the same sequent formula to be replaced by a single occurrence. 

q,q, S b r A E b r a, a, A ^ c 

q, E bp A E bp q, A 

The Exchange rule asserts that the order of the formulas in the antecedent 
and the consequent parts of the sequent is immaterial. It can be stated as 

Ei, 6, q, S 2 bp A E b r A t , b , q, A 2 

Ei, q, h, S 2 b r A Eb r A 1; q, 6, A 2 

As seen above, inference rules have the general form 

Si b Ai ■■■ S n b A n 

XV 

Eb A 

This says that if we are given a leaf of a proof tree of the form E b A, then by 
applying the rule named R, we may obtain a tree with n new leaves. 


7.1.2 Cut Rule 

The cut rule Cut can be used to introduce a case split on a formula a into a 
proof of a sequent E b r A so as to yield the subgoals E, a b r A and E b r q, A, 
which can be seen as assuming a along one branch and ->q along the other. 

( r (r)(q) bool)p E,qb r A Ebpo, A 

eTtA Cut 

7.1.3 Propositional Axioms 

The axioms rule Ax simply asserts that a follows from a. 


E, a bp q, A 


Ax 


The next two rules assert that any sequent with either an antecedent oc- 
currence of FALSE or a consequent occurrence of TRUE is an axiom. 


E, FALSE b r A 


FALSE b 


E b r TRUE, A 


b TRUE 
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7.1.4 Context Rules 

Certain formulas hold in a context simply because they are already asserted 
in the context either as a formula or a constant definition. 


ContextFormula if a is a formula in Y 

bp a 


ContextDefinition if s:T = a is a constant definition in Y 

b r s = a 


The context Y can be extended with antecedent formulas or negations of 
consequent formulas using the following two rules. 


S,q bp )Q A 
E, a bp A 


Context b 


S b p -, a a, A 
E b r q, A 


b Context 


The following context-weakening rule is useful since it shows that provabil- 
ity is monotonic with respect to the context. 


Yj \~ A 

Z' . r . ContextW if Y is a prefix of Y 1 
E bp/ A 


7.1.5 Conditional Rules 

The rules governing the elimination of IF-THEN-ELSE in a proof are unusual 
since they augment the context with the test part or its negation, as in the 
corresponding type rules. 

£,q,6 b r>a A S,cb r ^ a o,A 
S, IF(q, b, c) b r A 

a l~r,a b, A S b r ^ a a, c, A 
E b r IF(a, b, c), A 


7.1.6 Equality Rules 

The rules for equality can be stated as below. The rules of transitivity and 
symmetry for equality can be derived from these rules. The notation a[e] is 
used to highlight one or more occurrences of e in the formula a such that there 
are no free variable occurrences in e. 1 The notation A[e] similarly highlights 
occurrences of e in A. 

1 We enforce an invariant on a sequent that it must not contain any free variables. This 
invariant is preserved by each of the proof rules. 
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T Refl Q hY\ b \ 1? am Repl 

Eh r a = a,A a = b, E[a] h r A[a] 

7.1.7 Boolean Equality Rules 

The rule Repl TRUE asserts that an antecedent formula o can be treated as an 
antecedent equality of the form a = TRUE, and correspondingly, a consequent 
formula a can be treated as an antecedent equality of the form a = FALSE. 


E [TRUE], a b r A [TRUE] 

E[a], a hr A [a] 


Repl TRUE 


E [FALSE], a b r A [FALSE] 
E[a] bp a, A[a] 


Repl FALSE 


The rule TRUE-FALSE asserts that TRUE and FALSE are distinct Boolean 
constants. 


E, TRUE = FALSE b r A 


TRUE-FALSE 


7.1.8 Reduction Rules 

The reduction rules are equality rules (axioms) that provide the obvious sim- 
plifications for applications involving lambda abstractions and product projec- 
tions. 


b r (\(x:T): a)(b) 


a{b/x] 


0 


r Pi (01,02) — Oj 


7 r 


7.1.9 Extensionality Rules 

The extensionality rules are also equality rules for establishing equality be- 
tween two expressions of function or product type. The extensionality rule 
for functions, FunExt, introduces a Skolem constant s to determine that two 
functions / and g are equal when the results of applying them to an arbitrary 
argument s are equal. 


^ ^ r,s:A (/ ■s) — B[s/x\ ( 9 ®)i A 
s b r / =[ x -A-¥B] 9, A 


FunExt 


r(.s) undefined 
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The extensionality rule for products asserts that two products are equal if 
their corresponding projections are equal. 


S h r p! (a) = Tl p! (6), A E h r p 2 (a) =r 3 [( Pl a )/ x ] P2 (&) , A 
^ h r a =[ x: tiT 2 ] b, A 


TupExt 


Recall that the quantifiers can be defined in terms of lambda abstraction 
and equality so that (V(x:T):a) is just (A (x:T):a) = (A (x: T): TRUE). Exis- 
tential quantification (3(x:T): a) can easily be defined as -1 (V(x:T): -1 a). The 
proof rules for quantifiers can then be derived from the rules (3, TupExt, and 
the equality rules. 


7.1.10 Type Constraint Rule 

We need a rule to introduce the type constraint on a term as an antecedent 
formula of the given goal sequent. 


r(T)(a) = A 7r(A)(a), Sh r A 
E h r A 


Typepred 


7.2 Soundness of the Proof Rules 

Proposition 7.1 If T is a prefix of V , r()(T) = r()(T) = CONTEXT, 7' is 

a satisfying assignment for T, and 7 = 7' f T then for any a such that 
r(T)(a) = r(T')(a), it is the case that Af(r | 7) (a) = ART' | 7 ')(a). 

Theorem 7.2 (soundness) //r()( T) = CONTEXT such that for every formula 
a in E; A, (r(r)(a) bool)r, and Eh r A is provable, then for any satisfying 
assignment 7 for T, either there is a formula b in E, such that At (T | 7) ( b ) = 0 
or a formula c in A, such that Af(r | 7) (c) = 1 . 

Proof. The proof is by induction on the structure of the proof of E h r A. 
Recall that this proof is actually part of a simultaneous induction that includes 
the soundness of the type rules relative to the semantic function, that is, 
Theorems 4.14 and 4.18. Specific invocations of the soundness theorem occur 
in the proofs of Theorem 3.19 and Proposition 4.17. 

1. Structural Rules : Since the subset of formulas in the premise and the 
conclusion of these rules are the same, the conclusion follows easily from 
the induction hypothesis. 
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2. Cut: By the semantic soundness of the type rules, we have _Ad(T | 7 ) (a) e 
2. If A4(r | 7 ) (a) = 0, then by the induction hypothesis on the sec- 
ond subgoal of the proof rule, there must be some b in S such that 
y\4(r | 7 ) (b) = 0 or a c in A such that A4(r | 7 )(c) = 1. The case when 
A4(r | 7 ) (a) = 1 is symmetrical. 

3. Propositional Axioms : Obvious. 

4. Context Rules: 

ContextFormula: If 7 satisfies T and a e T, then A4(T | 7 ) (a) = 1 . 

ContextDefinition: If 7 satisfies T and s: T = a is a declaration in T, 
then by the definition of satisfaction, A4(r | 7 )(s) = A4(T | 7 ) (a). 

Context h: The argument is trivial when A4(T | 7 ) (a) = 0 . Oth- 

erwise, 7 satisfies the extended context T, a, and the conclusion 
follows from the induction hypothesis. 

h Context: Similar to Context h above. 

ContextW: If 7 satisfies T', then it also satisfies T, and hence the 
proof. 

5. Conditional Rules: We only consider IF h since the h IF proof is similar. 
If M(T | 7 ) (IF (a,b,c)) = 0, the conclusion follows trivially. Otherwise, 
If 7 satisfies T, then A4(r | 7 ) (a) e 2. If A4(r | 7 ) ( 0 ) = 1, then 
M{T I 7 ) ( 6 ) = 1 . The induction hypothesis on the subgoal S, a, b b r>a A 
yields the desired conclusion. Similarly, if A4(r | 7 ) (a) = 0, we have 
A4(r | 7 )(c) = 1 and the induction hypothesis on the second subgoal 
yields the desired conclusion. 

6 . Equality Rules: The Refl rule is obvious. For the Repl rule, if 

A4(r | 7 ) (a = b ) = 0, the conclusion follows trivially. Otherwise, 
A4(r | 7 ) (a) = A4(r | 7 ) (b). Hence, 7 satisfies the extended con- 
text T,o = b. Then for each c[a] in E[o] or A[a], A4(r | 7 )(c[o]) = 
M(T | -t)(c[6]). 

7. Boolean Equality Rules: The Repl TRUE and Repl FALSE rules fol- 
low easily since when M.(T \ 7 ) (a) = 1, we have «M(r | 7 )(c[o]) = 
A4(r | 7 )(c[TRUE]). A similar argument applies to Repl FALSE. 

The soundness of TRUE-FALSE is easy since A4(T | 7 ) (TRUE = FALSE) = 0. 
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8. Reduction Rules : The /^-reduction rule follows because 

Ad(r | 7) ((A (x:T): a)(b)) is A4(r,:r: VAR T \ ^{x t— A4(r | 7) (6)}) (a) 
which by the Substitution Lemma 4.16 is equal to A4(r | 7 )(a[b/x]). 

The soundness 7r-reduction rule is a direct consequent of Definition 2.6. 

9. Extensionality Rules : 

FunExt: First consider the case when the domain type A4(r | 7) (A) is 
empty. Then by Definition 4.12, A4(r | 7 )(/) = A4(r | 7 )(g) = 0. 
Therefore A4(r | 7 )(/ = g) = 1 and hence the conclusion. 2 
The case when A4(T | y)(A) is nonempty, we have for any 7 satisfy- 
ing T and s e A4(r | 7) (A), that 7' given by 7{s <— z} is a satisfying 
assignment for T,s: A By the induction hypothesis, there is either 
an a in E such that A4(r, s : A | 7 ')(&) = 0 or a c in (/ s) = ( g s), A 
such that A4(r,s:A | 7')(c) = 1. If we have such a b in E, by 
Proposition 7.1, we also have that A4(r | 7 )(b) = 0. A similar 
argument can be used if we have such a c in A. If c is (/ s) = (g s), 
then A4(r | 7) (/)(£) = A4(T | 7 ) (g)(2) for every z in A4(r | 7) (A). 
By set-theoretic extensionality, this means that A4(r | 7 )(/) and 
M{T | 7 )(g) are identical elements of II F where F maps z in 
A4(r | 7) (A) to an element of A4(r,2::VAR A | j{x z})(B). 
Therefore A4(r | 7 )(f = g) = 1 as desired. 

TupExt: If there is some d in E such that by applying the induction 
hypothesis to any of the subgoals A4(r | 7 )(d) = 0, then the same 
holds for the conclusion sequent. Similarly, if the induction hypoth- 
esis on some subgoal yields a c in A such that A4(r | 7)(c) = 1, 
then the same holds for the conclusion sequent. So the remain- 
ing case is when, by the induction hypothesis, A4(r | 7)(pj(o)) = 
A4(r | 7)(pi(6)) for each i e {1,2}- It is therefore easy to conclude 
by set-theoretic extensionality that A4(r | 7) (a) and .M(r | 7 )(b) 
are identical elements of A4(T | 7)(a/[T\, T 2 ]). We can then use 
Proposition 4.17 to conclude that A4(r | 7 )(a) and A4(r | 7) (b) are 
identical elements of A4(T | 7 )([Ti,T 2 ]). 

10. Type Constraint Rule: Recall from Proposition 3.17 that when r(r)(a) = 
A, then A4(r | 7)(7r(A)(a)) = 1. Given this and the induction hy- 

2 Since the subgoal sequent S l - rjS;j 4 (/ s ) = ( g s), A is valid when A4(r | 7 )(A) = 0 for 
all assignments 7, it is natural to ask how it is actually proved. The only way a type A can 
be empty under any assignment 7 is if M (T | 7) (7r(A) ( o) = 0). The Typepred rule can 
therefore be used on the Skolem constant s to complete the proof. 
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pothesis, it must either be the case that we have a b in E such that 
A4(T | 7 ){b) = 0 or a c in A such that A4(r | 7 )(e) = 1. 


To tie the development so far into a single simultaneous induction as 
promised, we state the key theorem whose subproofs have been given by the 
theorems presented thus far, namely, Theorems 4.14, 4.18, and 7.2. 

Theorem 7.3 J/t()(T) = CONTEXT, then 

1. If E,A is a list of preterms such that for every a in E; A, (r(T)(a) ~ 
bool)r, and E hp A is provable, then for any satisfying assignment 7 for 
T, either there is a b in E ; such that A4(T | 7 ) ( 6 ) = 0 or a c in A, such 
that A4(r | 7 )(c) = 1. 

2. If A is a pretype such that r(r)(A) = TYPE, then for any assignment 7 
satisfying T, A4(T | 7 ) (A) G U. 

3. If a is a preterm such that r(T)(a) = A, then for any assignment 7 
satisfying T, A4(T | 7 ) (a) G A4(T | 7 ) (A). 

7.3 Summary 

The logical inference rules for the PVS logic have been presented in a sequent 
calculus format. The formal semantics presented in the earlier chapters is used 
to establish the soundness of these proof rules. 



Chapter 8 
Conclusion 


We have presented the syntax and semantics of idealized PVS in several stages. 
In the first stage we introduced the simply typed fragment, which was then ex- 
tended with type definitions. The third such fragment included subtyping; the 
fourth fragment introduced dependent typing. Finally, we introduced constant 
definitions and parametric and nonparametric theories. 

The semantic definition was given in a novel, functional style where a 
canonical type was assigned to each type correct term. The interplay be- 
tween types and proofs in PVS introduced subtleties and complexities into 
the semantic definition. We can now answer some of the questions raised in 
Chapter 1: 

• What is the semantic core of the language, and what is just syntactic 
sugar? 

The semantic core of the language is a typed lambda calculus with simple 
function and tuple types, predicate subtypes, dependent types, paramet- 
ric theories, and conditional expressions. Many of the other features of 
the PVS language such as records and update expressions can be ex- 
plained in terms of the core language. 

• What are the rules for determining whether a given PVS expression is 
well typed? 

The typechecking rules have been presented in terms of the definition of 
the r operator in Chapters 2, 3, 4, 5, and 6. 

• How is subtyping handled, and in particular, how are proof obligations 
corresponding to subtypes generated? 

Typechecking an expression a with respect to predicate subtype con- 
straint {a;: T\p(x)} is done by generating the proof obligation p{a) under 
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the logical context in which a is being typechecked. This is made pre- 
cise in Definitions 3.10 and 6.2. Proof obligations are generated when 
typechecking contexts (for nonemptiness), typechecking expressions with 
respect to expected subtypes, and comparing two types containing sub- 
type expressions for compatibility. 

• What is the meaning, in set-theoretic terms, of a PVS expression or 
assertion? 

The set-theoretic meaning of well-formed PVS types and expressions is 
given by a meaning function M. that assigns a set M.{T \ j)(T) from the 
universe U to each type T, and an element A4(r \ 7 )(a) of A4(r | 7 )(T) 
to a given term a of type T. 

• Are the type rules sound with respect to the semantics? 

The typechecking function r is defined to check contexts, preterms, and 
pretypes for type correctness. The type rules are shown to be sound with 
respect to the given semantics in Theorem 7.3. 

• Are the proof rules sound with respect to the semantics? 

The proof rules are given in Chapter 7 in a sequent calculus format and 
proved to be sound with respect to the semantics in Theorem 7.3. 

• What is the form of dependent typing used by PVS, and what kinds of 
type dependencies are disallowed by the language? 

The semantic analysis of dependent typing in Chapter 4 revealed that 
type dependencies were constrained to be rank-bounded. This is true be- 
cause the dependencies in dependent typing only constrain the predicate 
part of predicate subtypes. Thus, when there is a dependent type T(n) 
that depends on a parameter n, the meaning of T(n) has a fixed rank re- 
gardless of the meaning assigned to n. The PVS language features used 
to define dependent types all preserve the rank-boundedness. Language 
extensions violating rank-boundedness such as a type dependency of the 
form [n: riat—rT n ] are disallowed. One can extend the language with 
such dependent types, but the semantics would then be considerably 
more complicated. 

• What is the meaning of theory-level parametricity, and what, if any, are 
the semantic limits on such parameterization? 



63 


The semantics of parametric theories is described in Chapter 5. In par- 
ticular, the semantics for parametric theories is given in terms of rank- 
preserving maps between the meanings of the parameters and the mean- 
ings of the identifiers declared in the theory. These maps must be such 
that the rank of an assignment to a type in a theory depends only on 
the ranks of the (meanings of the) type parameters. 

• What language extensions are incompatible with the reference semantics 
given here? 

We have already indicated that any language extension, such as an n- 
tuple type T n , that violates rank-boundedness would be incompatible 
with the semantics presented here. 

This report presents only the core language of PVS. A more complete 
semantic treatment would include arithmetic, recursive constant definitions, 
inductive definitions, recursive datatypes, assumptions on theory parameters, 
and type judgements. 
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